Maybe someone from ACAB-c could check the links in the table that give 404?
Thanks, M.D. On Fri, Feb 4, 2022, 00:31 Ben Wilson <[email protected]> wrote: > Regarding "Relying on a non-official source for accreditation information > has its own risks that should be taken seriously." - That isn't how it > works - in the third column over on https://www.acab-c.com/members/, the > link is to the official source, which is what we review. > > On Thu, Feb 3, 2022 at 3:16 PM Ryan Sleevi <[email protected]> wrote: > >> >> >> On Thu, Feb 3, 2022 at 4:03 PM Tim Hollebeek <[email protected]> >> wrote: >> >>> Ben, >>> >>> >>> >>> The policy requirements should be structured to match the policy goals. >>> You have mentioned two important ones, which I agree with. The first can >>> be solved by requiring the use of ACAB’c templates. The second points to a >>> legitimate issue that the NABs/CABs need to solve. Relying on a >>> non-official source for accreditation information has its own risks that >>> should be taken seriously. >>> >> >> Tim, >> >> I don't want to belabor this point, but you haven't highlighted if, how, >> or why you believe WebTrust is different. WebTrust is organizationally and >> functionally the same as ACAB'c in this regard, as far as professional >> association goes. Do you believe WebTrust is only valid if the US or >> Canadian governments recognize it - knowing full well they reject such >> audits as being insufficient? >> >> This reply seems to demonstrate a fundamental misunderstanding about the >> role of CABs/NABs, or that there is some value that is not yet articulated. >> The burden of proof rests on you to demonstrate what this value is - and >> what these risks are, that you believe should be taken seriously. You have >> not yet done that. >> >> >>> There’s also no guarantee that ACAB’C membership will be free in the >>> future. Organizations change. ACAB’c could also adopt membership rules >>> which some organizations are unable to comply with. >>> >> >> Again, how is this functionally different from WebTrust, which charges a >> licensing fee and which has restrictions on who can join? This is a point >> that goes back 20 years, in particular, during the discussion of Scott >> Perry as an auditor who was *not* WebTrust licensed at the time and not >> a CPA. I mention Scott as an example, because Scott S. Perry is who >> DigiCert has used as their auditor (and which was recently acquired by >> Shellman). >> >> The argument here does not establish why Mozilla should be concerned >> about free or not. Similarly, the point that ACAB'c "could" do something is >> nothing more that unsubstantiated FUD, because it ignores the fact that if >> there was a negative development, Mozilla - or anyone else - could respond >> if necessary. >> >> As was pointed out internally, ACAB’C is a very small association of >>> mostly French and German auditors, with very few members. As much as I >>> appreciate their work on templates and other issues, I don’t think forcing >>> people to join another organization is a good thing for organizations to >>> do, no matter how well-intended it is. It takes away their agency, which >>> will certainly put a damper on their desire to participate. >>> >> >> This is the closest we've got to actually establishing the substance of >> your objection, but it is entirely unclear what bearing it should have on >> this discussion. By this logic, requiring WebTrust licensed auditors is an >> equally unacceptable imposition - do you agree or not? >> >> Is there some point you believe is being overlooked? This message is full >> of conclusions, but lacks the logical footing necessary to reach those >> conclusions. If you think it's being misunderstood, please articulate. >> >> The fact that NABs/CABs have not solved this issue, that there has been >> years of discussion with ETSI, and that fundamentally the organizational >> goals of NABs/CABs is specifically to support that of Supervisory Bodies, >> and is not aligned with browser needs, appears to be entirely discarded >> here. There's zero reason to believe that continuing on the present course >> is somehow going to lead somewhere differently, other than in the abstract >> ideal state. >> >> I don't disagree that there are arguments being made here, but their >> arguments that are easily refuted, or which don't logically hold. I hope >> I'm overlooking something. >> > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabTpQxDkCexfdYtU0UNs0L0X2EhKxApZF_kOBc9xwaNEA%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabTpQxDkCexfdYtU0UNs0L0X2EhKxApZF_kOBc9xwaNEA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrzzq1sTM1RB6A2yZio_fksxfef-RjHBOySYuNPpf4UnMg%40mail.gmail.com.
