In addition, I take exception to the statement that open criticism is a bad approach and the implication that private discussions are the best way to make improvements. This is clearly not Mozilla's philosophy.
I do believe that we all need to be careful to follow Mozilla forum etiquette [1] and community participation guidelines [2], particularly the section titled "Be Direct but Professional". However, transparent discussions are a core Mozilla Principle [3]: "Transparent community-based processes promote participation, accountability and trust." I look forward to more open and constructive discussions aimed at improving the quality and transparency of CA audits, regardless of the audit scheme. - Wayne [1] https://www.mozilla.org/en-US/about/forums/etiquette/ [2] https://www.mozilla.org/en-US/about/governance/policies/participation/ [3] https://www.mozilla.org/en-US/about/manifesto/ On Mon, Nov 5, 2018 at 1:55 PM Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Mon, Nov 5, 2018 at 3:28 PM Nick Pope via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > It is very unfortunate that at this time the owners of root store > programs > > openly criticise one of the main auditors working on improvements to > > European based audits. After a number of years of audits of European CAs > > based on ETSI EN 319 403 being recognised as meeting the requirements of > > publicly trusted certificates, ETSI is working and with European auditors > > on further updates to improve the acceptability of European audits to > root > > store programs. It seems to be going against this initiative to suggest > > draconian measures of excluding TUVIT audit from the root programs whose > > impact are totally out of proportion the possible impact of the issues > > raised. > > > > I suggest that the providers of root stores to return to the negotiations > > for further improving European based audits that I understood had started > > at the recent CA/Browser forum. The current approach of making public > > criticisms against those who are trying to make improvements to the > > European CA audits is making the current direct discussions with root > store > > providers difficult to progress. So unless it is the objective to > > deliberately exclude European CAs from their root programs, which I > believe > > is not the case, I suggest that we return to the direct discussions with > > the providers of root store on how to further improve European audits so > > that can better take into account the root program requirements. > > > > Nick Pope, Vice-Chair ETSI TC on Electronic Signatures and [Trust] > > Infrastructures > > > > Respectfully, comments like this unfortunately bring even greater concern > with respect to the ETSI process. > > A significant number of improvements have been made to the ecosystem by > recognizing when mistakes are made and taking steps to improve. It has now > seen both TUVIT and the Vice-Chair of the ETSI TC on ESI instead suggest > these are not mistakes and downplay their significance. This prevents > meaningful improvements, because it fails to recognize that there exist > fundamental issues. > > I am all in favor of ensuring that all accepted audit schemes meet the > necessary level of robustness for the community. Much work has been done > with WebTrust, through their active engagement with Browsers to ensure that > the needs of the consumers are being met. ETSI has only recently begun to > recognize these issues, and while we are indeed seeing the beginnings of > fruitful engagement, we should not suggest that such seeds are a reasonable > justification to ignore gross negligence in security-critical functions OR > the deeply concerning dismissiveness of those concerns. > > I'm sure you can understand it would be deeply offensive if, on the basis > of such collaborations with WebTrust, it be suggested that no WebTrust > auditor be disqualified. Similarly, I'm sure you can understand it would be > deeply offensive to the purpose, values, and goals to suggest that because > CAs participate in m.d.s.p., they should be excluded from accountability. > At the end of the day, browsers are accountable to ensuring their users are > secure, and regardless of how productive our conversations may be, if the > level of security is not met, it's entirely appropriate and necessary to > take steps to protect users. > > I hope that, as Vice-Chair of the ETSI TC on ESI, and on behalf of > auditors, careful introspection is performed in comparing how these > statements sound when compared with CAs that have been distrusted due to > gross negligence and misissuance. Failures to acknowledge or recognize the > problem, failures to have implemented reasonable steps to resolve such > issues, repeated failures to achieve the necessary level of security, do > more to harm the brand of that organization and its products than > statements suggesting distrust. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
