On Thu, Nov 8, 2018 at 6:24 AM Nick Pope via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Following on from Waynes earlier positive statement: > > "I look forward to more open and constructive discussions aimed at > improving > the quality and transparency of CA audits, regardless of the audit scheme." > > I believe centring discussion on one particular auditor is not progressing > things with regards generally improving audits. That sounds very much like you don’t believe in either accountability or in trustworthiness being necessary for auditors. Statements like this, which actively promote overlooking fundamentally defective application of the existing requirements, calls the ETSI model itself into disrepute. I realize the opposite is your goal, but I hope you can understand how such an approach is fundamentally and deeply offensive to the trust ecosystem. Perhaps put differently: Do you believe that the audit criteria under ETSI are sufficiently clear to set forward an expectation that certificates conform to a profile? If no, we should not use or accept ETSI audits until such a time as the issues are resolved. If yes, then it is absolutely appropriate and necessary to discuss why specific auditors are failing to deliver on that. There is no middle ground, and this is not about wishlists. This is about fundamentally not meeting base level expectations. > > I understood from my EU colleagues that Ryan and Wayne had undertaken to > produce a "wish list" covering requirements that they had on audits. We > can then we can then discuss this with the European stakeholders and see > how we could best answer the wish list. This wish list would be most > helpful if it builds on the measures already proposed in TS 119 403-2 and > its parent standards which provide specific requirements on all European > audits for PTC. I understand also that we undertook to meet with WebTrust > in December to get an understand of each other schemes which could lead to > resolution of any alignment issues. This is entirely unrelated and unproductive to even suggest. Yes, ETSI should and must improve overall. But with regards to the current requirements and auditors such as TUVIT failing to appropriately apply them, that’s an issue that needs discussion and resolution now, and in public. I am glad the ESI TC recognizes there is room for improvement, just as there is room for improvement with WebTrust, but it is inaccurate to conflate that room for improvement with current failures in the application. This is not about not having things that are wanted - this is about not having the basics that are already required. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy