On Fri, Nov 9, 2018 at 7:05 AM Nick Pope via dev-security-policy < [email protected]> wrote:
> I am asking that we get a clear statement of what you would like to see > from EU audits based on ETSI standards and so that we (European Auditors > and ETSI) can come back with a considered response on how we can meet you > concerns. Rather than saying what a particular individual person thinks, > we would like to understand what your concerns are in as much detail as > possible against what is specified as the current requirements for EU > audits. We can then make a considered joint response to your concerns to > ensure that ETSI audits meet your needs in a way works for the existing > European environment. > > I note your concerns about transparency and ensuring that the requirements > certificate profile are met. If you can put these concerns down in detail, > along with any other issue you have, as a joint document from the root > stores, we can provide a coordinated response on how we can address your > concerns. > > If you see this as "basics that are already required" rather than "wish > list" fine, again just provide us with a clear set requirements so that we > can properly respond. I really don’t see how this is a productive response. It really is rather simple - do you believe auditors should be assessing compliance with EN 319 412-* under the existing standards? If yes, TUVIT has demonstrated a pattern of failing to do so, and it’s appropriate to discuss what next steps are appropriate to minimize the risk from such repeated failures - such as no longer accepting. If not, then ETSI audits are quite literally missing one of the most basic expectations, and their acceptance should be immediately stopped until such a time as they do. I fail to see how there’s any other possible response there; it really is cut and dry like that. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
