All,
This email starts discussion of whether ETSI auditors should be required to be members of the Accredited Conformity Assessment Bodies' Council (“ACAB’c” - https://www.acab-c.com/).
This is Issue #219 for the Mozilla Root Store Policy (MSRP), version 2.8, to be published in 2022. (See https://github.com/mozilla/pkipolicy/labels/2.8)
Mozilla continually seeks to improve the quality of CA
audits. Therefore, we are considering a requirement that ETSI auditors be members
of the ACAB’c, for which there is no cost to
join. The ACAB’c has improved the consistency
in how audit reports are provided to Mozilla, including how auditor
qualifications are verified. (ACAB’c seeks
“to harmonise the application of the conformity assessment requirements … with
regard to the broader conformity assessment community and in partnership with
the main stakeholders of the area, such as [the] CA/Browser Forum ….” Members of the ACAB’c further undertake to meet “the
minimum report content for … Browsers Manufacturers”. (Code of Conduct, found at https://www.acab-c.com/terms-conditions-and-policies/.) Not only has ACAB’c maintained a Mozilla-compliant audit
attestation letter template, but it has also provided guidance about what
auditors are supposed to check, and it has taken other steps to keep audits current with
Mozilla and CA/Browser Forum requirements.
From an audit quality standpoint, membership in the ACAB'c is necessary for any auditor using ETSI criteria to review CAs that issue publicly trusted server certificates, and therefore, ACAB'c membership should be a requirement stated in the MRSP.
Please provide your responses and comments in this thread. Thanks.
Sincerely,
Ben Wilson
Mozilla Root Store Program
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYuv_0Zy4LZnxPkmbg9EGft6AtT3AXSSUM2Es7VWuUPgw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaatREgzCtG2AMzhs_ObG-P3YSi9mDSSfFJOA7sOWMdgDA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaa8Fj84gFsYmp6_DVGDXWiZiHg89y1N%2BhWd2snoY2YcvQ%40mail.gmail.com.
This would effectively force a number of existing auditors with a long history of providing ETSI audits for Mozilla into joining ACAB-C. It is not clear that simply being a member provides any benefits. If there are clear problems to be solved here, it would be better to write explicit requirements about what is expected of auditors, instead of requiring their membership in an arbitrary organization.
As far as I’m aware, ACAB-C is a voluntary coordination body, and not in any way recognized as part of the European regulatory structure.
-Tim
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaa8Fj84gFsYmp6_DVGDXWiZiHg89y1N%2BhWd2snoY2YcvQ%40mail.gmail.com.
It is disrespectful to imply that my remarks mean anything beyond what I actually said. This has been a pattern for a long time, where you reply quickly to my feedback, replace it with a strawman, and then argue against the strawman. In particular, the WebTrust analogy is not very apt. WebTrust is a compliance program that Mozilla relies upon, so it makes a lot of sense for auditors to have to be accredited under it and in good standing. As far as I’m aware, ACAB-C is not an accreditation body for ETSI audits in anyway.
I have asked you, repeatedly and publicly, and on many occasions, to not put words in my mouth when you reply. Yet you persist. This sort of behavior is why I rarely participate in this forum any more. Particularly relevant to this forum, it’s also a violation of Mozilla Policy.
Clearly, it would be better, for example, if Mozilla desires that auditors use the ACAB-C reporting format, then they should require that. Forcing every auditor, including those who are government regulators and for whom this relationship might be awkward, into joining an organization simply to check a box on Mozilla’s compliance list, will not improve anything. People will join for the checkbox, and then ignore the organization and not participate.
-Tim
Ben,
The policy requirements should be structured to match the policy goals. You have mentioned two important ones, which I agree with. The first can be solved by requiring the use of ACAB’c templates. The second points to a legitimate issue that the NABs/CABs need to solve. Relying on a non-official source for accreditation information has its own risks that should be taken seriously.
There’s also no guarantee that ACAB’C membership will be free in the future. Organizations change. ACAB’c could also adopt membership rules which some organizations are unable to comply with.
As was pointed out internally, ACAB’C is a very small association of mostly French and German auditors, with very few members. As much as I appreciate their work on templates and other issues, I don’t think forcing people to join another organization is a good thing for organizations to do, no matter how well-intended it is. It takes away their agency, which will certainly put a damper on their desire to participate.
-Tim
Ben,
The policy requirements should be structured to match the policy goals. You have mentioned two important ones, which I agree with. The first can be solved by requiring the use of ACAB’c templates. The second points to a legitimate issue that the NABs/CABs need to solve. Relying on a non-official source for accreditation information has its own risks that should be taken seriously.
There’s also no guarantee that ACAB’C membership will be free in the future. Organizations change. ACAB’c could also adopt membership rules which some organizations are unable to comply with.
As was pointed out internally, ACAB’C is a very small association of mostly French and German auditors, with very few members. As much as I appreciate their work on templates and other issues, I don’t think forcing people to join another organization is a good thing for organizations to do, no matter how well-intended it is. It takes away their agency, which will certainly put a damper on their desire to participate.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabTpQxDkCexfdYtU0UNs0L0X2EhKxApZF_kOBc9xwaNEA%40mail.gmail.com.
Hi Moudrick,
yes, we are aware of that and have requested those members to provide updated information some weeks ago. I agree, we should send out another reminder and demand to provide the information asap.
The problem was caused by the German accreditor that decided to re-structure their website, causing all the existing links to fail.
Best regards
Matthias
Von: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Im Auftrag von Moudrick Dadashov
Gesendet: Freitag, 4. Februar 2022 00:18
An: Ben Wilson <bwi...@mozilla.com>
Cc: Ryan Sleevi <ry...@sleevi.com>; Tim Hollebeek <tim.ho...@digicert.com>; dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Betreff: Re: Policy 2.8: MRSP Issue #219: Require ETSI auditors to be ACAB-c members
**WARNING** This email originates from an external sender. Please be careful when opening links and attachments! |
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrzzq1sTM1RB6A2yZio_fksxfef-RjHBOySYuNPpf4UnMg%40mail.gmail.com.
______________________________________________________________________________________________________________________ Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH * Am TÜV 1 * 45307 Essen, Germany Registergericht/Register Court: Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251 Geschäftsführung/Management Board: Dirk Kretzschmar
TÜV NORD GROUP Expertise for your Success
Please visit our website: www.tuv-nord.com Besuchen Sie unseren Internetauftritt: www.tuev-nord.de
It is not clear to me whether a decision has been made on this matter. Would Mozilla please clarify? If this new requirement were introduced in the MRSP with immediate effect, it would cause non trivial organizational problems for the CAs that are nearing their next audit cycle.
Adriano
ACTALIS S.p.A.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabTpQxDkCexfdYtU0UNs0L0X2EhKxApZF_kOBc9xwaNEA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/00702dfd-ce0a-b204-29f8-395d834a913e%40staff.aruba.it.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabXvMWdzJOj5hsKb09VVf1%3Dk2jRu%3DCujMSUBL%2Ba_FFY1Q%40mail.gmail.com.
Ben:As a whole, this change seems a significant step backwards, in that it removes the requirement for both WebTrust licensee and ACAB'c membership. There doesn't seem to be any explanation for this change, and your reply on Feb 3 seemed to support.In short, it's unclear how this addresses https://github.com/mozilla/pkipolicy/issues/219 - it seems to do quite the opposite.Maybe if we take a step back from your precise wording changes: What's the end state you'd like to accomplish? It seems this does the opposite of what's on the bug, and if that's intended, it might be useful to have some rationale and discussion on that.On Mon, Apr 4, 2022 at 11:59 AM Ben Wilson <bwi...@mozilla.com> wrote:
Please see language proposed to address Issue #219 here: https://github.com/BenWilson-Mozilla/pkipolicy/commit/907b54de5b811bbd1def8208e2f72b43f1e21048.
On Tue, Mar 29, 2022 at 9:35 AM Ben Wilson <bwi...@mozilla.com> wrote:
Adriano,Right now, we're considering the following language:"ETSI Audit Attestation Letters MUST follow the Audit Attestation Letter template on the [ACAB'c website](https://www.acab-c.com/downloads), and
ETSI auditors SHOULD be listed as [CAB-members on the ACAB'c website](https://www.acab-c.com/members/). WebTrust audit statements
MUST follow the practitioner guidance, principles, and illustrative assurance reports on the [CPA Canada website](https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria), and SHOULD be listed as an enrolled WebTrust practitioner on the [CPA Canada website](https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/licensed-webtrust-practitioners-international)."Thanks,Ben
On Tue, Mar 29, 2022 at 9:03 AM 'Adriano Santoni' via dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> wrote:
It is not clear to me whether a decision has been made on this matter. Would Mozilla please clarify? If this new requirement were introduced in the MRSP with immediate effect, it would cause non trivial organizational problems for the CAs that are nearing their next audit cycle.
Adriano
ACTALIS S.p.A.
Il 03/02/2022 23:31, Ben Wilson ha scritto:
Regarding "Relying on a non-official source for accreditation information has its own risks that should be taken seriously." - That isn't how it works - in the third column over on https://www.acab-c.com/members/, the link is to the official source, which is what we review.
--On Thu, Feb 3, 2022 at 3:16 PM Ryan Sleevi <ry...@sleevi.com> wrote:
On Thu, Feb 3, 2022 at 4:03 PM Tim Hollebeek <tim.ho...@digicert.com> wrote:
Ben,
The policy requirements should be structured to match the policy goals. You have mentioned two important ones, which I agree with. The first can be solved by requiring the use of ACAB’c templates. The second points to a legitimate issue that the NABs/CABs need to solve. Relying on a non-official source for accreditation information has its own risks that should be taken seriously.
Tim,
I don't want to belabor this point, but you haven't highlighted if, how, or why you believe WebTrust is different. WebTrust is organizationally and functionally the same as ACAB'c in this regard, as far as professional association goes. Do you believe WebTrust is only valid if the US or Canadian governments recognize it - knowing full well they reject such audits as being insufficient?
This reply seems to demonstrate a fundamental misunderstanding about the role of CABs/NABs, or that there is some value that is not yet articulated. The burden of proof rests on you to demonstrate what this value is - and what these risks are, that you believe should be taken seriously. You have not yet done that.There’s also no guarantee that ACAB’C membership will be free in the future. Organizations change. ACAB’c could also adopt membership rules which some organizations are unable to comply with.
Again, how is this functionally different from WebTrust, which charges a licensing fee and which has restrictions on who can join? This is a point that goes back 20 years, in particular, during the discussion of Scott Perry as an auditor who was not WebTrust licensed at the time and not a CPA. I mention Scott as an example, because Scott S. Perry is who DigiCert has used as their auditor (and which was recently acquired by Shellman).
The argument here does not establish why Mozilla should be concerned about free or not. Similarly, the point that ACAB'c "could" do something is nothing more that unsubstantiated FUD, because it ignores the fact that if there was a negative development, Mozilla - or anyone else - could respond if necessary.
As was pointed out internally, ACAB’C is a very small association of mostly French and German auditors, with very few members. As much as I appreciate their work on templates and other issues, I don’t think forcing people to join another organization is a good thing for organizations to do, no matter how well-intended it is. It takes away their agency, which will certainly put a damper on their desire to participate.
This is the closest we've got to actually establishing the substance of your objection, but it is entirely unclear what bearing it should have on this discussion. By this logic, requiring WebTrust licensed auditors is an equally unacceptable imposition - do you agree or not?
Is there some point you believe is being overlooked? This message is full of conclusions, but lacks the logical footing necessary to reach those conclusions. If you think it's being misunderstood, please articulate.
The fact that NABs/CABs have not solved this issue, that there has been years of discussion with ETSI, and that fundamentally the organizational goals of NABs/CABs is specifically to support that of Supervisory Bodies, and is not aligned with browser needs, appears to be entirely discarded here. There's zero reason to believe that continuing on the present course is somehow going to lead somewhere differently, other than in the abstract ideal state.
I don't disagree that there are arguments being made here, but their arguments that are easily refuted, or which don't logically hold. I hope I'm overlooking something.
You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsub...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabTpQxDkCexfdYtU0UNs0L0X2EhKxApZF_kOBc9xwaNEA%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsub...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/00702dfd-ce0a-b204-29f8-395d834a913e%40staff.aruba.it.
--
You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsub...@mozilla.org.
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabTpQxDkCexfdYtU0UNs0L0X2EhKxApZF_kOBc9xwaNEA%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/00702dfd-ce0a-b204-29f8-395d834a913e%40staff.aruba.it.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabXvMWdzJOj5hsKb09VVf1%3Dk2jRu%3DCujMSUBL%2Ba_FFY1Q%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/0f4a08f2-a967-4b0c-84a0-215b2c9c87afn%40mozilla.org.
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabTpQxDkCexfdYtU0UNs0L0X2EhKxApZF_kOBc9xwaNEA%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/00702dfd-ce0a-b204-29f8-395d834a913e%40staff.aruba.it.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrwjMMrKz7%3DT3m7M%3Dpi41qsNiHB8DzAD%2BRQ7%2By%2B7UEteKg%40mail.gmail.com.
Maybe, instead of following with the "(unless written permission is granted by Mozilla)" for both, perhaps:- Mozilla MAY, at its sole discretion, decide to temporarily waive membership or enrollment requirements.
Hi Moudrick,
CPA Canada is not like a NAB in Europe. NABs supervise CABs which means they assess/examine/review audit work of CABs - I believe - on a yearly basis and decide on the accreditation of the CAB. CABs are "assessed" by NABs similarly as CAs are audited by CABs.
I am not sure CPA Canada works this way. Based on past discussions, please correct me if I'm wrong, my understanding is that WebTrust audit firms have a peer-review process (not sure if it is annual or not) which means that audit firms examine other audit firms' audits.
IMHO CPA Canada is more analogous to ACAB-c than to a NAB but with more "power"/authority over the WebTrust program (closer to the powers of EA https://european-accreditation.org/). ACAB-c has no authority over NABs/CABs or ETSI standards.
I was mainly trying to highlight some known differences between CPA Canada and NABs. In practice, can you please confirm whether CPA Canada performs audit reviews against their licensed practitioners, and if so, how frequently? As I explained, NABs actually review/assess audit cases of CAs performed by their CABs on an annual basis.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHGs2CmHMYqLKjh36ivFkWzf%2BHiwN3bru38Z8YyzG3DEgw%40mail.gmail.com.
Thanks Ryan,actually simplification applies only to the organisational infrastructure and allows us to concentrate on two major players: CABs and accreditation bodies.Why we need this? If we succeed with minimal requirements for both players, it should help to harmonise the root program requirements.Although it does require significant efforts, but both the accredition and certification rely on the same semi-formalised "conformity assessmens scheme" concept, which methodologically is very close to CP/CPS for CAs.
"Conformity assessment can *help*, sure, but it's *not* a replacement."Sorry, I don’t know where this replacement comes from...
"So no, it's a non-goal to focus on CABs and accreditation bodies, as they are not the "two major players"."The reason why these bodies are major players is obvious: accreditation is the only process how CABs become CABs (and maintain their status) and certification is the only process that enable CAs to participate in the Root inclusion program.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHHTJkZg18TFvmdFYgMuoYZyjwhSb04BDBVbMgCqv1tjnw%40mail.gmail.com.