Dear all, as already mentioned above, qualified auditors (nat person/organization) have been selected which fulfil the points as listed in our previous response. The auditors fulfilled these relevant requirements. Even the organization of TÜV AUSTRIA CERT was accredited according to ISO 17065 by that time –the only thing missing was the formal acknowledgement of the Austrian Federal Ministry for Digital and Economy Affairs (BMDW) for amending that accreditation by the ETSI ENs. The accreditation audit had successfully been performed by the Ministry BMDW in June and a corresponding positive report had been issued to TÜV AUSTRIA CERT. That report had been forwarded immediately to the Browsers. Following this time frame, at the time when our Audit Attestations were issued, the auditors already passed its accreditation audit. Hereafter however, the formal completion of the accreditation process by the Ministry requires time until the accreditation certificate is finally issued. Now – after summer holiday season -, the accreditation certificate is expected to be delivered every day. Along with that all public lists will be updated so that TÜV AUSTRIA CERT’s ETSI expansion of their accreditation according to ISO 17065 will finally be visible.
Related to our own SwissSign audit which was required to be performed as soon as possible, we decided to ask the browsers before the audit was started, whether they would accept the audit performed by our auditors under that circumstances described above. Based on the Mozilla Root Policy, clause 3.2, para 2 Mozilla can decide to accept the auditor. On top we considered that as the auditors are well known in the community and have long term experience auditing several CA included in the Root Stores according ETSI and BRG, therefore they should easily be accepted to perform our audit. We discussed that with Mozilla and Microsoft and both finally agreed to a one time exception so that we decided to start the audit project. That given exception included an agreement that the Audit Attestations will be re-issued now, after the formal accreditation process is finalized – which will happen during the next few weeks. All the Browsers will receive an updated Audit Attestation then referring the amended accreditation documentation. On top of that and as already mentioned above, we will repeat all the audits during the next weeks in order to start over and synchronize the audit period for the complete PKI of SwissSign. At this time the expansion of TÜV AUSTRIA CERTS accreditation according ISO 17065 and ETSI EN 319 403 will certainly be visible. Best Regards Reinhard Dietrich _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
