On Mon, Nov 5, 2018 at 3:28 PM Nick Pope via dev-security-policy < [email protected]> wrote:
> It is very unfortunate that at this time the owners of root store programs > openly criticise one of the main auditors working on improvements to > European based audits. After a number of years of audits of European CAs > based on ETSI EN 319 403 being recognised as meeting the requirements of > publicly trusted certificates, ETSI is working and with European auditors > on further updates to improve the acceptability of European audits to root > store programs. It seems to be going against this initiative to suggest > draconian measures of excluding TUVIT audit from the root programs whose > impact are totally out of proportion the possible impact of the issues > raised. > > I suggest that the providers of root stores to return to the negotiations > for further improving European based audits that I understood had started > at the recent CA/Browser forum. The current approach of making public > criticisms against those who are trying to make improvements to the > European CA audits is making the current direct discussions with root store > providers difficult to progress. So unless it is the objective to > deliberately exclude European CAs from their root programs, which I believe > is not the case, I suggest that we return to the direct discussions with > the providers of root store on how to further improve European audits so > that can better take into account the root program requirements. > > Nick Pope, Vice-Chair ETSI TC on Electronic Signatures and [Trust] > Infrastructures > Respectfully, comments like this unfortunately bring even greater concern with respect to the ETSI process. A significant number of improvements have been made to the ecosystem by recognizing when mistakes are made and taking steps to improve. It has now seen both TUVIT and the Vice-Chair of the ETSI TC on ESI instead suggest these are not mistakes and downplay their significance. This prevents meaningful improvements, because it fails to recognize that there exist fundamental issues. I am all in favor of ensuring that all accepted audit schemes meet the necessary level of robustness for the community. Much work has been done with WebTrust, through their active engagement with Browsers to ensure that the needs of the consumers are being met. ETSI has only recently begun to recognize these issues, and while we are indeed seeing the beginnings of fruitful engagement, we should not suggest that such seeds are a reasonable justification to ignore gross negligence in security-critical functions OR the deeply concerning dismissiveness of those concerns. I'm sure you can understand it would be deeply offensive if, on the basis of such collaborations with WebTrust, it be suggested that no WebTrust auditor be disqualified. Similarly, I'm sure you can understand it would be deeply offensive to the purpose, values, and goals to suggest that because CAs participate in m.d.s.p., they should be excluded from accountability. At the end of the day, browsers are accountable to ensuring their users are secure, and regardless of how productive our conversations may be, if the level of security is not met, it's entirely appropriate and necessary to take steps to protect users. I hope that, as Vice-Chair of the ETSI TC on ESI, and on behalf of auditors, careful introspection is performed in comparing how these statements sound when compared with CAs that have been distrusted due to gross negligence and misissuance. Failures to acknowledge or recognize the problem, failures to have implemented reasonable steps to resolve such issues, repeated failures to achieve the necessary level of security, do more to harm the brand of that organization and its products than statements suggesting distrust. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
