Ryan, I see the main question is what is the most productive way ahead. We can continue discussing a specific concern in the context of just 1 of the European auditor, or work in the EU on a considered approach to all the concerns which can be applied to all European based audits. The first does not seem to be working towards something that you are happy with and even then would only provide an answer in a limited context. With the second approach we can take into account all your concerns and work towards an approach that can be applied to all EU audits which is acceptable to all.
Nick On Friday, November 9, 2018 at 9:18:40 PM UTC, Ryan Sleevi wrote: > On Fri, Nov 9, 2018 at 7:05 AM Nick Pope via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > I am asking that we get a clear statement of what you would like to see > > from EU audits based on ETSI standards and so that we (European Auditors > > and ETSI) can come back with a considered response on how we can meet you > > concerns. Rather than saying what a particular individual person thinks, > > we would like to understand what your concerns are in as much detail as > > possible against what is specified as the current requirements for EU > > audits. We can then make a considered joint response to your concerns to > > ensure that ETSI audits meet your needs in a way works for the existing > > European environment. > > > > I note your concerns about transparency and ensuring that the requirements > > certificate profile are met. If you can put these concerns down in detail, > > along with any other issue you have, as a joint document from the root > > stores, we can provide a coordinated response on how we can address your > > concerns. > > > > If you see this as "basics that are already required" rather than "wish > > list" fine, again just provide us with a clear set requirements so that we > > can properly respond. > > > I really don’t see how this is a productive response. It really is rather > simple - do you believe auditors should be assessing compliance with EN 319 > 412-* under the existing standards? > > If yes, TUVIT has demonstrated a pattern of failing to do so, and it’s > appropriate to discuss what next steps are appropriate to minimize the risk > from such repeated failures - such as no longer accepting. > > If not, then ETSI audits are quite literally missing one of the most basic > expectations, and their acceptance should be immediately stopped until such > a time as they do. > > I fail to see how there’s any other possible response there; it really is > cut and dry like that. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
