I am asking that we get a clear statement of what you would like to see from EU audits based on ETSI standards and so that we (European Auditors and ETSI) can come back with a considered response on how we can meet you concerns. Rather than saying what a particular individual person thinks, we would like to understand what your concerns are in as much detail as possible against what is specified as the current requirements for EU audits. We can then make a considered joint response to your concerns to ensure that ETSI audits meet your needs in a way works for the existing European environment.
I note your concerns about transparency and ensuring that the requirements certificate profile are met. If you can put these concerns down in detail, along with any other issue you have, as a joint document from the root stores, we can provide a coordinated response on how we can address your concerns. If you see this as "basics that are already required" rather than "wish list" fine, again just provide us with a clear set requirements so that we can properly respond. Nick On Thursday, November 8, 2018 at 3:34:27 PM UTC, Ryan Sleevi wrote: > On Thu, Nov 8, 2018 at 6:24 AM Nick Pope via dev-security-policy < > [email protected]> wrote: > > > Following on from Waynes earlier positive statement: > > > > "I look forward to more open and constructive discussions aimed at > > improving > > the quality and transparency of CA audits, regardless of the audit scheme." > > > > I believe centring discussion on one particular auditor is not progressing > > things with regards generally improving audits. > > > That sounds very much like you don’t believe in either accountability or in > trustworthiness being necessary for auditors. Statements like this, which > actively promote overlooking fundamentally defective application of the > existing requirements, calls the ETSI model itself into disrepute. I > realize the opposite is your goal, but I hope you can understand how such > an approach is fundamentally and deeply offensive to the trust ecosystem. > > Perhaps put differently: Do you believe that the audit criteria under ETSI > are sufficiently clear to set forward an expectation that certificates > conform to a profile? > > If no, we should not use or accept ETSI audits until such a time as the > issues are resolved. > If yes, then it is absolutely appropriate and necessary to discuss why > specific auditors are failing to deliver on that. > > There is no middle ground, and this is not about wishlists. This is about > fundamentally not meeting base level expectations. > > > > > > I understood from my EU colleagues that Ryan and Wayne had undertaken to > > produce a "wish list" covering requirements that they had on audits. We > > can then we can then discuss this with the European stakeholders and see > > how we could best answer the wish list. This wish list would be most > > helpful if it builds on the measures already proposed in TS 119 403-2 and > > its parent standards which provide specific requirements on all European > > audits for PTC. I understand also that we undertook to meet with WebTrust > > in December to get an understand of each other schemes which could lead to > > resolution of any alignment issues. > > > This is entirely unrelated and unproductive to even suggest. Yes, ETSI > should and must improve overall. But with regards to the current > requirements and auditors such as TUVIT failing to appropriately apply > them, that’s an issue that needs discussion and resolution now, and in > public. I am glad the ESI TC recognizes there is room for improvement, just > as there is room for improvement with WebTrust, but it is inaccurate to > conflate that room for improvement with current failures in the > application. This is not about not having things that are wanted - this is > about not having the basics that are already required. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
