On Wed, Oct 31, 2018 at 12:55 PM Dimitris Zacharopoulos via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> > > On 31/10/2018 4:47 μμ, Ryan Sleevi via dev-security-policy wrote: > > There's a lot of nitpicking in this, and I feel that if you want to > > continue this discussion, it would be better off in a separate thread on > > terminology. I disagree with some of the claims you've made, so have > > corrected them for the discussion. > > > > I would much rather keep this focused on the discussion of TUVIT as > > auditors; if you feel that the nitpicking is relevant to that discussion > > (which I don't believe anything you've said rises to that level), we > should > > certainly hash it out here. This is why I haven't forked this thread yet > - > > to make sure I've not misread your concern. However, if there's more > > broadly a disagreement, but without impact to this discussion, we should > > spin that out. > > Indeed, my comments were more related to the ETSI terminology so I > created a new thread. More answers in-line. > > > > > On Wed, Oct 31, 2018 at 7:11 AM Dimitris Zacharopoulos <ji...@it.auth.gr > > > > wrote: > > > >> On 30/10/2018 6:28 μμ, Ryan Sleevi via dev-security-policy wrote: > >>> This establishes who the CAB is and who the NAB is. As the scheme used > in > >>> eIDAS for CABs is ETSI EN 319 403, the CAB must perform their > assessments > >>> in concordance with this scheme, and the NAB is tasked with assessing > >> their > >>> qualification and certification under any local legislation (if > >>> appropriate) or, lacking such, under the framework for the NAB applying > >> the > >>> principles of ISO/IEC 17065 in evaluating the CAB against EN 319 403. > The > >>> NAB is the singular national entity recognized for issuing > certifications > >>> against ISO/IEC 17065 through the MLA/BLA and the EU Regulation No > >> 765/2008 > >>> (as appropriate), which is then recognized trans-nationally. > >> Some clarifications/corrections because I saw some wrong usage of terms > >> being repeated. > >> > >> A CAB MUST perform their assessments applying ISO/IEC 17065 AND ETSI EN > >> 319 403 AND any applicable legislation (for EU CABs this includes > >> European and National legislation). > >> > > Dimitris, I'm sorry, but I don't believe this is a correct correction. > > > > EN 319 403 incorporates ISO/IEC 17065; much like the discussion about EN > > 319 411-2 incorporating, but being separate from, EN 319 411-1, the > > structure of EN 319 403 is that it incorporates normatively the structure > > of ISO/IEC 17065, and, at some places, extends. > > > > Your description of the system is logically incompatible, given the > > incompatibilities in 319 403 and 17065. > > > > You're correct that any applicable national legislation applies, with > > respect to the context of eIDAS. However, one can be assessed solely > > against the scheme of EN 319 403 and 319 411-1, without going for > qualified. > > I have to disappoint you and insist that your statement "As the scheme > used in eIDAS for CABs is ETSI EN 319 403, the CAB must perform their > assessments in concordance with this scheme, and the NAB is tasked with > assessing their qualification and certification under any local > legislation (if appropriate) or, lacking such, under the framework for > the NAB applying the principles of ISO/IEC 17065 in evaluating the CAB > against EN 319 403" > > and specifically the use of "or" in your statement, is incorrect. NABs > *always* assess qualification of CABs applying ISO/IEC 17065 AND ETSI EN > 319 403 AND any applicable legislation. Only Austria is an exception (if > I recall correctly) because they don't apply ETSI EN 319 403 for CAB > accreditation. > > Then, each CAB is accredited for specific standards (e.g. ETSI EN 319 > 411-1, 411-2, 421, eIDAS regulation and so on). > > ISO 17065 and ETSI EN 319 403 apply only to CABs and ETSI EN 319 411-1, > 411-2 apply only for TSPs. 411-2 incorporates 411-1 and 401 but does not > incorporate 403 or 17065. They are completely unrelated. > I'm afraid you're still misunderstanding, and I believe, mistating. It is not ISO/IEC 17065 AND EN 319 403 that a CAB is assessed against. They're assessed against EN 319 403, which *incorporates* ISO/IEC 17065. This is the same way that when a TSP is assessed against ETSI EN 319 411-2, they're not also (as in, separate audit report) assessed against EN 319 411-1; EN 319 411-2 *incorporates* EN 319 411-1. Now, the CAB may ALSO be accredited for ISO/IEC 17065 (e.g. in the context of application of other schemes), but I can't find supporting evidence to support your claim that *both* are required in the context of EN 319 403. Could you provide further details that you believe would demonstrate this? > > I don't think this is a valid criticism, particularly in the context of > the > > specific case we're speaking about. I'm speaking about what's required - > > you're speaking about what's possible. Many things are possible, but what > > matters for expectations is what is required. 7.11.3 simply defers to the > > scheme to specify, which EN 319 403 does not as it relates to this > > discussion. > > > > ISO 17065 sets the base and 7.11.3 describes the principles that need to > be followed. It is very likely that different CABs will choose to > implement this principle in a different way but at the end of the day, > their implementation must satisfy the principle and they are evaluated > by the NAB that ensures the principles are met. > Yes, which does not mean it provides any baseline assurance for relying parties, which matters. For example, when we talk about expectations of CAs, we don't talk about what they 'could' do, we talk about what they MUST do, because at the end of the day, that's the bar they're being held to. It's certainly true that a given TSP may go above and beyond some bar, but that doesn't mean we can say "CAs do X", because they aren't required to. The same logic applies in the discussion of CABs - it does not make sense to discuss how they 'could' interpret it, but rather, what they MUST do. > This standard is a very old and very mature, used to evaluate products > and processes related to food, elevators and so many critical > life-threatening products. Depending on the criticality of the audited > standard, there may be additional requirements for the disclosure of > non-conformities, certification suspension/withdrawal and others. For > example, the food industry has additional rules for CABs (accredited > under ISO 17065) evaluating companies that produce certain food products > so that in case they detect a certain pathogens or other major > non-conformities, they must inform specific regulatory authorities. It > is not impossible to set out similar rules in ETSI EN 319 403 or, as we > agreed in my previous post, in Root program requirements. > Sure, but that's fundamentally dependent upon the accreditation scheme of the CABs and the certification scheme of the TSPs. I think it's fair to say that under eIDAS and EN 319 403, these are not requirements, and that's what's relevant to the discussion at hand. It's the same way that when we talk about the BRs, it's pointless to talk about how some CAs may go above and beyond in their CPS, when discussing the CA ecosystem or a particular (different) CA's misissuance. What matters is the baseline expectations here. > >> Similarly with TSPs losing their Certification, if a CAB loses their > >> Accreditation it will be displayed on the NAB's web site. > >> > > More concretely, the absence will be. > > > > They should be using a similar process, that is to mark that an > accreditation has been suspended or withdrawn. > Going back to the above; 'should' and 'must' are two very different things. > > >> "An unqualified opinion from the practitioner indicates that such > >> principles *are being followed* in conformity with the WebTrust for > >> Certification Authorities Criteria. These principles and criteria > >> reflect fundamental standards for *the establishment and on-going > >> operation* of a Certification Authority organization or function." > >> > >> So, if I check a WT seal today Oct 31, 2018, even though the CA has not > >> been audited between their last audit and today, the WT seal represents > >> that it is still valid and not withdrawn. They are both "forward > >> looking" in the eyes of Relying Parties. > >> > > This fundamentally misunderstands what WT audits are. > > Perhaps, but in my understanding both schemes result to an Public > declaration that the CA/TSP has been audited over a particular period > according to specific standards, and can be reasonably trusted in > continuing to do what they do until they are evaluated again. > No, that's not what a WebTrust statement is; it's an evaluation of historic details without a statement as to future predction. For the period that was evaluated, the auditor reviewed the design and controls, believes they met the principles and criteria, and tested the operational effectiveness of those controls by examining their historic operation. It is not a forward-looking statement. Extensive documentation and professional standards exist with respect to how the data is evaluated, sampled, and interpreted. A certification is an ongoing statement of compliance, based on a set of testing specific enumerated controls. The EN 319 403 and 319 411-* approaches reflect the history of the European scheme, namely, the previous use of ISO/IEC 15408 approach to TSP evaluation. 17065 sets out a variety of procedures based upon what is being tested, but the historic evaluation of evidence does not play a 'significant' role as compared to the evaluation of the present controls. Indeed, discussions of sampling in that context are limited to multi-site sampling. While reports such as TS 119 403-2 attempt to address some of this, it lacks normative force, and the professional oversight that exists in, say, AICPA or CPA Canada, does not apply in the context of eIDAS or the NABs (not withstanding per-MS regulation). This is why the change control process involves reporting to the CAB the changes that may affect the ongoing compliance, and why ad-hoc and surveillance audits exist in the context of the certification scheme. If a CA had a WT audit on 2018-01-01, and misissued today on 2018-10-31, they would not fundamentally have their seal pulled. Their seal is based on the audit that was performed. While CPA Canada is considering the implications of WT licensing and seals, fundamentally, the seal would remain valid until its expiration, at which point, it might not be possible to renew, as a seal, even if they got a WT audit, because there would be qualifications. However, if it was revealed that, during the period that was audited, the CA had issues, and the auditor failed to appropriately detect them (which itself opens up a can of worms re: national professional standards bodies), then CPA Canada may determine to suspend the seal. I would say the best example of this would be if they were informed of material misstatements by management in Management's Assertion. The process for that, however, is also based on the professional standards as well - for example, in the US, AICPA AT-C 205.A54-58 in consideration of AT-C 205 .48-.49 that allows for the post-facto reconsideration of new facts relevant to the date at which the report was issued and for the period it was issued. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
