On Tue, Oct 30, 2018 at 11:59 AM Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 2018-10-30 16:20, Ryan Sleevi wrote: > > Given that the Supervisory Body and National Accreditation bodies exist > to > > protect the legal value of this scheme, the failure by TUVIT to uphold > the > > safety and security of the eIDAS regime represents an ongoing threat to > the > > ecosystem. > > Do we have a way of verifying the accreditation, and do we verify that > they have a valid accreditation? Should it be enough for us to check the > accreditation, and just follow the process you are already doing? > Yes. You can either begin with a 'top-down' approach or a 'bottom-up' approach, depending on the information you have at hand. Conceptually, it's very similar to Revocation Checking - and just as conceptually broken. To begin with a 'bottom-up' approach, we start with the CA being assessed. We'll use https://crt.sh/?id=3726125 as an example. From there, we then look at the audit, which leads to https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2018072004_Audit_Attestation_E_T-TeleSec-GlobalRoot-Class-3_20180723_s.pdf From this audit, we learn that TÜV Informationstechnik GmbH is accredited by DAkkS with certificate D-ZE-12022-01 under ETSI EN 319 403 v2.2.2 In this case, TUVIT has included a direct link to their certificate in the footnotes, but you could otherwise look up with DAkkS directly. In either event, https://www.dakks.de/en/content/accredited-bodies-dakks?Regnr=D-ZE-12022-01-01 takes you to the certification You can then view the certificate itself at https://www.dakks.de/as/ast/d/D-ZE-12022-01-01.pdf From a top-down approach, you'd start with identifying who the NABs are under the eIDAS scheme. As EU Regulation No. 910/2014 builds upon EU Regulation No 765/2008 with respect for the establishment of NABs, your starting point is with http://www.european-accreditation.org/ From there, you look for Members or MLA/BLA Signatories (with respect to ISO 17065 and/or EN 319 403), and you can determine that the NAB for Germany is DAkkS ( http://www.european-accreditation.org/ea-members ) From DAkkS, you can then examine the Directory of accredited bodies ( https://www.dakks.de/en/content/directory-accredited-bodies-0 ) and search for the relevant Conformity Assessment Bodies certifications Both approaches lead you to the certification of TUVIT. If your question was with respect to T-Systems' certification, you follow roughly that same process, with the top-down approach also involving looking through TUVIT's directory of accredited TSPs to determine if T-Systems is accredited. This establishes who the CAB is and who the NAB is. As the scheme used in eIDAS for CABs is ETSI EN 319 403, the CAB must perform their assessments in concordance with this scheme, and the NAB is tasked with assessing their qualification and certification under any local legislation (if appropriate) or, lacking such, under the framework for the NAB applying the principles of ISO/IEC 17065 in evaluating the CAB against EN 319 403. The NAB is the singular national entity recognized for issuing certifications against ISO/IEC 17065 through the MLA/BLA and the EU Regulation No 765/2008 (as appropriate), which is then recognized trans-nationally. As the framework utilizes ISO/IEC 17065, the complaints process and certification process for both TSPs and CABs bears strong similarity, which is why I wanted to explore how this process works in function. Note that if either the TSP is suspended of their certification or withdrawn, no notification will be made to relying parties. The closest that it comes is that if they're accredited according to EN 319 411-2 (Qualified Certificates), the suspension/withdrawing will be reported to the Supervisory Body, which will them update the Qualified Trust List for that country and that will flow into the EU Qualified Trust List. If they're accredited against EN 319 411-1, the Supervisory Body will be informed by the CAB (in theory, although note my complaint about TSP informing the CAB was not followed, and the same can exist with CAB to SB), but no further notification may be made. Furthermore, if certification is later reissued, after a full audit, the certification history will not reflect that there was a period of 'failed' certification. This similarly exists with respect to CABs - if a CAB has their accreditation suspended, on the advice of or decision of the NAB based on feedback from the SB - the community will not necessarily be informed. In theory, because certification is 'forward' looking rather than 'past' looking, a suspension or withdraw of a CAB by a NAB may not affect its past certification of TSPs; this is an area of process that has not been well-specified or determined. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
