Thanks, Ryan"Conformity assessment can *help*, sure, but it's *not* a replacement."Sorry, I don’t know where this replacement comes from..."So no, it's a non-goal to focus on CABs and accreditation bodies, as they are not the "two major players"."The reason why these bodies are major players is obvious: accreditation is the only process how CABs become CABs (and maintain their status) and certification is the only process that enable CAs to participate in the Root inclusion program.Thanks,M.D.Sent from my Galaxy -------- Original message --------From: Ryan Sleevi <[email protected]> Date: 4/7/22 22:22 (GMT+02:00) To: Moudrick Dadashov <[email protected]> Cc: Ryan Sleevi <[email protected]>, Dimitris Zacharopoulos <[email protected]>, "[email protected]" <[email protected]> Subject: Re: Policy 2.8: MRSP Issue #219: Require ETSI auditors to be ACAB-c members On Thu, Apr 7, 2022 at 11:59 AM Moudrick Dadashov <[email protected]> wrote:Thanks Ryan,actually simplification applies only to the organisational infrastructure and allows us to concentrate on two major players: CABs and accreditation bodies.Why we need this? If we succeed with minimal requirements for both players, it should help to harmonise the root program requirements.Although it does require significant efforts, but both the accredition and certification rely on the same semi-formalised "conformity assessmens scheme" concept, which methodologically is very close to CP/CPS for CAs.Moudrick,Thanks. I think your reply demonstrates the confusion that I was trying to address. It is not fair nor accurate to think about this in terms of Conformity Assessment Bodies and Accreditation Bodies. That is **not** a common element between the two programs, nor is it a common goal.Indeed, I have tried to communicate in the past as to why attempting to view CAs through the lens of conformity assessment and accreditation is a *technically flawed* approach with respect to security. That's not to say that the very notion of conformity assessment is flawed, but that, in PKI, an accreditation and conformity assessment approach provides different results than those necessary for security.If conformity assessment was the end-all be all, for example, you would not see requirements for vendor security assessments in work such as GDPR, because the vendor would simply need to be "accredited". That's not the case, however, because situations such as that are context-specific, and require individual approaches to understanding the overall relationship. Conformity assessment can *help*, sure, but it's *not* a replacement.So no, it's a non-goal to focus on CABs and accreditation bodies, as they are not the "two major players".
-- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/624f5189.1c69fb81.3df2.7d5d%40mx.google.com.
