ACAB'c is a group of a few eIDAS CABs working together for reasons, they do not represent all eIDAS CABs neither do they have any recognized or official function within the eIDAS ecosystem.
Can the ACAB'c member list be relied upon as being accurate and providing correct and latest information on the accreditation status of member CABs? It’s a manual list maintained based on membership applications and their acceptance. Isn't the only current accurate source of accredited eIDAS CAB the 20+ governmental NABs of participating EU countries that are designated to accredit and supervise eIDAS CAB? Without any visible added value or clear and transparent insights on what supervisory function they perform within the context of the WebPKI ecosystem (filtering which eIDAS CAB and reports are acceptable/qualitiative?), why would a specific subset of eIDAS CAB be promoted over other eIDAS CAB? Parties that are interested in becoming a WebPKI CA or maintaining that status often go look at root program requirements as a first source to understand what needs to be done, including what audit attestations that need to be obtained and which parties can provide these. I have difficulties understanding what current reason there is to refer to the ACAB'c and why the "simplified check" seems to suggest only ACAB'c member audit reports are accepted. > -----Original Message----- > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On > Behalf Of Nicholas Knight via dev-security-policy > Sent: maandag 13 juli 2020 15:31 > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Verifying Auditor Qualifications > > It seems exceptionally strange to me that what, from all appearances, is a 4 > year > old advocacy body for auditors could be considered an authoritative source. > ACAB’c does not seem to have done anything at all to acquire the extremely > high > level of credibility such a source needs. > > The idea that an association of auditors can’t keep its website and charter > up to > date does nothing to dispel doubt, and is in fact evidence that ACAB’c is not > capable of its claimed functions. > > I see no browsers or anyone else can rely on ACAB’c, or should. It was not > formed > for that purpose and there is no evidence it even understands that purpose. I > suggest that if they intend to perform this function, it is necessary to > start over > with a new organization with a new charter and new leadership. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
