On 31/10/2018 8:00 μμ, Ryan Sleevi via dev-security-policy wrote:
[...]
Dimitris, I'm sorry, but I don't believe this is a correct correction.
EN 319 403 incorporates ISO/IEC 17065; much like the discussion about EN
319 411-2 incorporating, but being separate from, EN 319 411-1, the
structure of EN 319 403 is that it incorporates normatively the structure
of ISO/IEC 17065, and, at some places, extends.
Your description of the system is logically incompatible, given the
incompatibilities in 319 403 and 17065.
You're correct that any applicable national legislation applies, with
respect to the context of eIDAS. However, one can be assessed solely
against the scheme of EN 319 403 and 319 411-1, without going for
qualified.
I have to disappoint you and insist that your statement "As the scheme
used in eIDAS for CABs is ETSI EN 319 403, the CAB must perform their
assessments in concordance with this scheme, and the NAB is tasked with
assessing their qualification and certification under any local
legislation (if appropriate) or, lacking such, under the framework for
the NAB applying the principles of ISO/IEC 17065 in evaluating the CAB
against EN 319 403"
and specifically the use of "or" in your statement, is incorrect. NABs
*always* assess qualification of CABs applying ISO/IEC 17065 AND ETSI EN
319 403 AND any applicable legislation. Only Austria is an exception (if
I recall correctly) because they don't apply ETSI EN 319 403 for CAB
accreditation.
Then, each CAB is accredited for specific standards (e.g. ETSI EN 319
411-1, 411-2, 421, eIDAS regulation and so on).
ISO 17065 and ETSI EN 319 403 apply only to CABs and ETSI EN 319 411-1,
411-2 apply only for TSPs. 411-2 incorporates 411-1 and 401 but does not
incorporate 403 or 17065. They are completely unrelated.
I'm afraid you're still misunderstanding, and I believe, mistating.
It is not ISO/IEC 17065 AND EN 319 403 that a CAB is assessed against.
They're assessed against EN 319 403, which *incorporates* ISO/IEC 17065.
This is the same way that when a TSP is assessed against ETSI EN 319 411-2,
they're not also (as in, separate audit report) assessed against EN 319
411-1; EN 319 411-2 *incorporates* EN 319 411-1.
Now, the CAB may ALSO be accredited for ISO/IEC 17065 (e.g. in the context
of application of other schemes), but I can't find supporting evidence to
support your claim that *both* are required in the context of EN 319 403.
Could you provide further details that you believe would demonstrate this?
I would prefer to let some auditor reply to this but I quickly went
through
https://ec.europa.eu/futurium/en/system/files/ged/list_of_eidas_accredited_cabs-2018-07-27.pdf
and checked out some CAB accreditation letters and it looks like they
are accredited to both "(ISO/IEC 17065 + ETSI EN 319 493 + eIDAS
Art.3.18 scope of accreditation)".
I think it is also clearly stated in ETSI EN 319 403 that lists ISO
17065 as a Normative reference and also:
"ISO/IEC 17065 [1] is an international standard which specifies general
requirements for conformity assessment bodies (CABs) performing
certification of products, processes, or services. These requirements
are not focussed on any specific application domain where CABs work. In
the present document the general requirements are *supplemented* to
provide additional dedicated requirements for CABs performing
certification of Trust Service Providers (TSPs) and the trust services
they provide towards defined criteria against which they claim conformance."
"The present document also *incorporates* many requirements relating to
the audit of a TSP's management system, as defined in ISO/IEC 17021
[i.12] and in ISO/IEC 27006 [i.11]. These requirements are incorporated
by including text to derived from these documents in the present
document, as well indirectly through references to requirements of
ISO/IEC 17021 [i.12]."
So, in my understanding, ISO 17065 must be fully covered and some
elements if ISO 17021 are incorporated. ETSI EN 319 403 supplements 17065.
I don't think this is a valid criticism, particularly in the context of
the
specific case we're speaking about. I'm speaking about what's required -
you're speaking about what's possible. Many things are possible, but what
matters for expectations is what is required. 7.11.3 simply defers to the
scheme to specify, which EN 319 403 does not as it relates to this
discussion.
ISO 17065 sets the base and 7.11.3 describes the principles that need to
be followed. It is very likely that different CABs will choose to
implement this principle in a different way but at the end of the day,
their implementation must satisfy the principle and they are evaluated
by the NAB that ensures the principles are met.
Yes, which does not mean it provides any baseline assurance for relying
parties, which matters.
For example, when we talk about expectations of CAs, we don't talk about
what they 'could' do, we talk about what they MUST do, because at the end
of the day, that's the bar they're being held to. It's certainly true that
a given TSP may go above and beyond some bar, but that doesn't mean we can
say "CAs do X", because they aren't required to. The same logic applies in
the discussion of CABs - it does not make sense to discuss how they 'could'
interpret it, but rather, what they MUST do.
ISO 17065 and ETSI EN 319 403 include normative requirements for CABs
just as the Baseline Requirements and ETSI EN 319 411-1 do for TSPs. I
don't understand why you think it is any different for CABs. For
example, the baseline requirements mandate that "The CA SHALL maintain a
continuous 24x7 ability to respond internally to a high-priority
Certificate Problem Report, and where appropriate, forward such a
complaint to law enforcement authorities, and/or revoke a Certificate
that is the subject of such a complaint".
It doesn't specify exactly how a CA shall respond internally to such a
request. It must have a process and the CAB will evaluate it.
Similarly for CABs, under 7.13.1 of 17065 "The certification body shall
have a documented process to receive, evaluate and make decisions on
complaints and appeals. The certification body shall record and track
complaints and appeals, as well as actions undertaken to resolve them".
It doesn't specify exactly how the CAB shall fulfill this requirement
but each competent CAB must demonstrate to their NAB that they have a
documented process that fulfills this criteria, is effective and efficient.
Even in the introduction section of 17065, you see the same use of words
SHALL, SHOULD, MAY, CAN as described in RFC2119.
This standard is a very old and very mature, used to evaluate products
and processes related to food, elevators and so many critical
life-threatening products. Depending on the criticality of the audited
standard, there may be additional requirements for the disclosure of
non-conformities, certification suspension/withdrawal and others. For
example, the food industry has additional rules for CABs (accredited
under ISO 17065) evaluating companies that produce certain food products
so that in case they detect a certain pathogens or other major
non-conformities, they must inform specific regulatory authorities. It
is not impossible to set out similar rules in ETSI EN 319 403 or, as we
agreed in my previous post, in Root program requirements.
Sure, but that's fundamentally dependent upon the accreditation scheme of
the CABs and the certification scheme of the TSPs. I think it's fair to say
that under eIDAS and EN 319 403, these are not requirements, and that's
what's relevant to the discussion at hand.
It's the same way that when we talk about the BRs, it's pointless to talk
about how some CAs may go above and beyond in their CPS, when discussing
the CA ecosystem or a particular (different) CA's misissuance. What matters
is the baseline expectations here.
Some baseline expectations are not overly prescriptive in the BRs for
CAs nor in the "BRs for CABs" (i.e. ISO 17065 and ETSI EN 319 403).
Information Security Management Systems can have significantly different
implementations but must maintain specific principles. This is where
illustrative controls and recommended practices come in so that the
auditors can evaluate if the principles are met but it's always subject
to the opinion of the CAB (when auditing TSPs), and to the NAB (when
assessing CABs).
Similarly with TSPs losing their Certification, if a CAB loses their
Accreditation it will be displayed on the NAB's web site.
More concretely, the absence will be.
They should be using a similar process, that is to mark that an
accreditation has been suspended or withdrawn.
Going back to the above; 'should' and 'must' are two very different things.
If you want to challenge the NAB's systems for handling
suspension/withdrawal of accreditations, I'm sure they have their own
set of rules/criteria.
"An unqualified opinion from the practitioner indicates that such
principles *are being followed* in conformity with the WebTrust for
Certification Authorities Criteria. These principles and criteria
reflect fundamental standards for *the establishment and on-going
operation* of a Certification Authority organization or function."
So, if I check a WT seal today Oct 31, 2018, even though the CA has not
been audited between their last audit and today, the WT seal represents
that it is still valid and not withdrawn. They are both "forward
looking" in the eyes of Relying Parties.
This fundamentally misunderstands what WT audits are.
Perhaps, but in my understanding both schemes result to an Public
declaration that the CA/TSP has been audited over a particular period
according to specific standards, and can be reasonably trusted in
continuing to do what they do until they are evaluated again.
No, that's not what a WebTrust statement is; it's an evaluation of historic
details without a statement as to future predction. For the period that was
evaluated, the auditor reviewed the design and controls, believes they met
the principles and criteria, and tested the operational effectiveness of
those controls by examining their historic operation. It is not a
forward-looking statement. Extensive documentation and professional
standards exist with respect to how the data is evaluated, sampled, and
interpreted.
The seal statement which I quoted earlier, leaves the impression -at
least to me- that with the seal, the public gets some assurance "for the
establishment and on-going operation of a Certification Authority
organization of function".
Also, as an RP that reads ''principles are being followed in conformity
with the WebTrust for Certification Authorities Criteria'', I have
reasonable assurance that "principles are being followed", which is
forward-looking.
A certification is an ongoing statement of compliance, based on a set of
testing specific enumerated controls. The EN 319 403 and 319 411-*
approaches reflect the history of the European scheme, namely, the previous
use of ISO/IEC 15408 approach to TSP evaluation. 17065 sets out a variety
of procedures based upon what is being tested, but the historic evaluation
of evidence does not play a 'significant' role as compared to the
evaluation of the present controls. Indeed, discussions of sampling in that
context are limited to multi-site sampling. While reports such as TS 119
403-2 attempt to address some of this, it lacks normative force, and the
professional oversight that exists in, say, AICPA or CPA Canada, does not
apply in the context of eIDAS or the NABs (not withstanding per-MS
regulation). This is why the change control process involves reporting to
the CAB the changes that may affect the ongoing compliance, and why ad-hoc
and surveillance audits exist in the context of the certification scheme.
If a CA had a WT audit on 2018-01-01, and misissued today on 2018-10-31,
they would not fundamentally have their seal pulled. Their seal is based on
the audit that was performed. While CPA Canada is considering the
implications of WT licensing and seals, fundamentally, the seal would
remain valid until its expiration, at which point, it might not be possible
to renew, as a seal, even if they got a WT audit, because there would be
qualifications.
I think this example explains it perfectly, although I have the
impression from previous discussions that in any case of "deviation",
auditors (regardless if they are WT or ETSI) must be notified by the CA/TSP.
7.10 Changes affecting certification
The requirements from ISO/IEC 17065 [1], clause 7.10 shall apply. In
addition, the following TSP-specific requirements and guidance apply.
Changes affecting certification initiated by the client may comprise but
are not limited to:
a) major changes in the TSP documentation;
b) changes in TSP policies, objectives or procedures affecting the trust
service; or
c) security relevant changes.
EXAMPLE: Changes of trustworthy systems, network security or physical
infrastructure measures new sites relevant for providing the trust service.
Source: ETSI EN 319 403
Also in ISO 17065 4.1.2 k)
the client informs the certification body, without delay, of changes
that may affect its ability to conform with the certification requirements.
NOTE Examples of changes can include the following:
- the legal, commercial, organizational status or ownership,
- organization and management (e.g. key managerial, decision-making or
technical staff),
- modifications to the product or the production method,
- contact address and production sites,
- major changes to the quality management system
Then the CAB:
7.11.1 When a nonconformity with certification requirements is
substantiated, either as a result of surveillance or otherwise, the
certification body shall consider and decide upon the appropriate action.
NOTE Appropriate action can include the following:
- continuation of certification under conditions specified by the
certification body (e.g. increased surveillance);
- reduction in the scope of certification to remove nonconforming
product variants;
- suspension of the certification pending remedial action by the client;
- withdrawal of the certification
Source: ISO 17065
This is indeed a different approach between the two schemes. For ETSI,
you might be required to stop all operations if the CAB suspends the
certification, before the end of the on-going audit period. If I
understood correctly, in WT you will be allowed to continue operations
until the next audit, where you will get a qualified opinion. Is that
correct?
However, if it was revealed that, during the period that was audited, the
CA had issues, and the auditor failed to appropriately detect them (which
itself opens up a can of worms re: national professional standards bodies),
then CPA Canada may determine to suspend the seal. I would say the best
example of this would be if they were informed of material misstatements by
management in Management's Assertion. The process for that, however, is
also based on the professional standards as well - for example, in the US,
AICPA AT-C 205.A54-58 in consideration of AT-C 205 .48-.49 that allows for
the post-facto reconsideration of new facts relevant to the date at which
the report was issued and for the period it was issued.
Yes, we've seen auditors not appropriately detecting problems in both
schemes. Both schemes should have a complaint procedure for
third-parties to use, if they consider an audit doesn't meet the
appropriate standards.
Dimitris.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
