On Thu, Nov 5, 2020 at 7:00 PM Wojtek Porczyk <w...@invisiblethingslab.com> wrote:
> On Thu, Nov 05, 2020 at 11:48:20AM -0500, Ryan Sleevi via > dev-security-policy wrote: > > competency is with individuals, not organizations. > > [snip] > > > I find the appeal to redundancy and the NAB, and further, the suggestion > of > > GDPR, to be a bit insulting to this community. This opposition to > > transparency fundamentally undermines the trust in ETSI provided audits, > or > > this appeal to the eIDAS scheme, which has limited relevance given it's a > > fundamentally different audit scheme, beggars belief. If you'd like to > > raise Fear/Uncertainty/Doubt about GDPR, I believe you owe this > community a > > precise and detailed explanation about what you believe, relevant to the > > auditor professional experience, would be problematic. > > Not the original poster, but > 1) I understand that the very general language of OP, which you dismiss as > FUD, is because this is "consult your own lawyer" area; > 2) contrary to what you have written, the onus is on Mozilla to demonstrate > the compliance with GDPR and not the other way around. > I think this is significantly misstating things. Without opining on the legal statements you've offered, the reality is that fundamentally, if we cannot achieve reasonable evidence to trust the auditor - specifically, the individuals that make up the audit team (both the audit members and any relevant technical experts that may have contributed) - then there's no objective reason to accept the audit. The concerns you raised are secondary to that, and so the objection to something *cannot* be provided simply means that it would limit the utility, reliability, and trustworthiness of those audits and potentially make them unacceptable. The need for objective, transparent understanding about the skills and competencies is as paramount as the need for an objective, transparent understanding about the CA itself, and for which audits exist. The attestation of the CAB is demonstrably insufficient for purpose, in the same way as a CA saying "I solemnly swear I'm up to good" would not somehow invite trust. I understand that the appeal is "Well, the NAB oversees the CAB, you see, and EA oversees the NABs, and through the power of Regulation 765/2008, trust is imbued", but that of course fails the very basic test of having concrete, objective data for the consumer of the audit (e.g. Mozilla, but also this broader community). It entirely outsources the supervision, without providing any evidence of meeting the requirement, for a core product security requirement. Rather than accept such risk, it becomes just as reasonable to reject such audits. I highlight this because to suggest something *cannot* be done is to unquestionably invite the assertion of FUD. If there are *challenges* to doing so, we should try to find solutions. But outright dismissal, or suggesting somehow that transparency is not necessary because *handwave* this other scheme *handwave* doesn't inspire confidence, nor does it achieve the necessary transparency. This is clearly not insurmountable, as discussed previously, and in the worst case, might mean that rather than arbitrarily accepting audits, Mozilla would contractually negotiate with potential auditors to ensure the necessary skills and qualifications were met (e.g. as widely practiced in other industries). _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy