On 30/10/2018 6:28 μμ, Ryan Sleevi via dev-security-policy wrote:
This establishes who the CAB is and who the NAB is. As the scheme used in
eIDAS for CABs is ETSI EN 319 403, the CAB must perform their assessments
in concordance with this scheme, and the NAB is tasked with assessing their
qualification and certification under any local legislation (if
appropriate) or, lacking such, under the framework for the NAB applying the
principles of ISO/IEC 17065 in evaluating the CAB against EN 319 403. The
NAB is the singular national entity recognized for issuing certifications
against ISO/IEC 17065 through the MLA/BLA and the EU Regulation No 765/2008
(as appropriate), which is then recognized trans-nationally.
Some clarifications/corrections because I saw some wrong usage of terms
being repeated.
A CAB MUST perform their assessments applying ISO/IEC 17065 AND ETSI EN
319 403 AND any applicable legislation (for EU CABs this includes
European and National legislation).
Also, a NAB issues "Accreditations" to CABs and not "Certifications".
Also, a CAB issues "Certifications" to TSPs and not "Accredidations".
So, T-Systems is "Certified", not "Accredited".
As the framework utilizes ISO/IEC 17065, the complaints process and
certification process for both TSPs and CABs bears strong similarity, which
is why I wanted to explore how this process works in function.
Note that if either the TSP is suspended of their certification or
withdrawn, no notification will be made to relying parties.
This depends on applicable legislation and the implementation of ISO
17065 sections 4.6, 7.11.3 by each CAB. Some CABs have a public
repository where RPs can query the validity of TSP Certifications so if
a Certification is Suspended or Revoked, it will be displayed
accordingly. I don't think WT has a notification scheme for RPs either.
If the TSP publishes the seal URL or the CAB's URL to the TSP
Certificate (which is not mandatory), RPs can manually check the
validity of the TSP Certification.
The closest
that it comes is that if they're accredited according to EN 319 411-2
(Qualified Certificates), the suspension/withdrawing will be reported to
the Supervisory Body, which will them update the Qualified Trust List for
that country and that will flow into the EU Qualified Trust List. If
they're accredited against EN 319 411-1, the Supervisory Body will be
informed by the CAB (in theory, although note my complaint about TSP
informing the CAB was not followed, and the same can exist with CAB to SB),
but no further notification may be made. Furthermore, if certification is
later reissued, after a full audit, the certification history will not
reflect that there was a period of 'failed' certification. This similarly
exists with respect to CABs - if a CAB has their accreditation suspended,
on the advice of or decision of the NAB based on feedback from the SB - the
community will not necessarily be informed. In theory, because
certification is 'forward' looking rather than 'past' looking, a suspension
or withdraw of a CAB by a NAB may not affect its past certification of
TSPs; this is an area of process that has not been well-specified or
determined.
Note that Supervisory Bodies (only related to eIDAS) have no authority
for TSP Certifications under ETSI EN 319 411-1, but only ETSI EN 319
411-2. In all cases of Certification (ETSI EN 319 411-1 or ETSI EN 319
411-2), the NAB is assessing the CAB. In most EU countries, the NAB IS
NOT the Supervisory Body.
Similarly with TSPs losing their Certification, if a CAB loses their
Accreditation it will be displayed on the NAB's web site.
I also consider the "WT seal" and "ETSI certification" very similar. A
WT seal is similar to an ETSI certificate because they state (emphasis
mine):
"An unqualified opinion from the practitioner indicates that such
principles *are being followed* in conformity with the WebTrust for
Certification Authorities Criteria. These principles and criteria
reflect fundamental standards for *the establishment and on-going
operation* of a Certification Authority organization or function."
So, if I check a WT seal today Oct 31, 2018, even though the CA has not
been audited between their last audit and today, the WT seal represents
that it is still valid and not withdrawn. They are both "forward
looking" in the eyes of Relying Parties.
As far as the non-disclosure of compliance certificate
suspension/withdrawals is concerned, CABs are only allowed to follow
their practices as described in ISO 17065 section 7.11.3. Root Programs
could possibly require that CAs MUST disclose any possible Certification
suspension or revocation that occurred during their audit period.
Hope this helps.
Dimitris.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
