Re: ETSI audits not listing audit periods

Mon, 30 Oct 2017 18:27:07 -0700 

FYI:
see section 7.4.4 of ETSI EN 319 403, Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment - Requirements for conformity assessment bodies assessing Trust Service Providers, http://www.etsi.org/deliver/etsi_en/319400_319499/319403/02.02.02_60/en_319403v020202p.pdf 

Thanks,
M.D.

On 10/31/2017 2:13 AM, Kathleen Wilson via dev-security-policy wrote:

On Monday, October 30, 2017 at 5:02:08 PM UTC-7, Buschart, Rufus wrote:

Our ETSI audit report (https://www.siemens.com/corp/pool/pki/siemens_etsi.pdf) 
states:


An audit of the certification service, documented in a report, provided 
evidence that the requirements of the following
specification have been fulfilled. The audit was conducted on 22th - 24th 
February 2017 covering the timeframe
27th February 2016 to 21st February 2017. It was a full audit covering all 
aspects of the standard performed.
A second and third audit was performed on 19th and 20th June 2017 to implement 
further Issuing CAs and in the time
between 23rd to 30th August.

We repeat this full audit annually. From what I understand out of this 
discussion, this will meet your requirements, correct?


Yes, that meets our requirement regarding stating the audit period and if it is 
a period-of-time/full audit. The problem is that most ETSI audit statements 
that we get do not say this. And it has been an uphill battle for me to get 
ETSI audit statements to say this.

Please note that there is still information missing from the audit statement, 
such as SHA-256 fingerprints. See:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#public-audit-information


But your audit statement is much better than most ETSI audit statements I get.



If you want us to move from ETSI to Webtrust we, and probably every other CA 
relying on ETSI, would highly appreciate a reasonable grace period to do so, 
since we are already in the middle of the preparation of our next audit in 
February 2018.


I understand.

Thanks,
Kathleen

_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy


_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy






















					Reply via email to