Hi Nick, I had been thinking that 119 403-2 was just intended as an attestation statement template, similar to the WebTrust reporting guidance [1]. Now I understand that it can include more substantial requirements.
This is certainly not a complete list, but specific to this discussion I would start with the following concerns: * Reporting on major and minor non-conformities - I have yet to ever see an ETSI attestation listing a major non-conformity, but I have shared several examples listing minor non-conformities with ETSI representatives. We need standards that require consistent disclosure of all types of non-conformities in attestation statements. Disclosure is required even if a CA fixes a non-conformity within an acceptable time frame (based on ETSI standards). * Disclosure when a CA violates the BR revocation timeline requirements, even if their actions are perfectly acceptable under ETSI standards for remediation. * Disclosure of testing and sampling methodologies used in an audit. - Wayne [1] http://www.webtrust.org/practitioner-qualifications/item64422.aspx On Mon, Nov 19, 2018 at 8:25 AM Nick Pope via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Restating my earlier offer we would welcome a clear statement of any > concerns or wishes resulting from the discussions, on this or other related > threads, against the measures already proposed in TS 119 403-2 and its > parent standard. We can then discuss this with the European stakeholders > and see how we could best answer these concerns > > Nick > > On Friday, November 16, 2018 at 4:46:34 PM UTC, Wayne Thayer wrote: > > On Thu, Nov 15, 2018 at 1:51 PM Ryan Sleevi <r...@sleevi.com> wrote: > > > ... > > > > In either case, I think we're missing normative guidance to objectively > > distinguish poor judgement from policy violations. To that end, I think > > Nick's request for us to better define root program expectations is a > > reasonable one. Analyzing current and past issues can certainly help us > to > > define these requirements. > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
