Dear Kathleen,

As you accurately pointed out, Accredia's Regulations (Circular No.8/2017 and 
the updated No.5/2020) enforces the use of ETSI EN 319 403 and the related ETSI 
EN 319 4xx standards by all its accredited CABs since the beginning of this 
accreditation.
The accreditation regulation is normative document for all CABs accredited by 
the NAB. In fact, in the case of Accredia, it has several additional 
requirements which go significantly beyond the requirements imposed by ETSI 
standards and the eIDAS Regulation (the latter applies for EU Qualified 
Certificates). 

I can assure that QMSCERT has been evaluated according to this, and even though 
I cannot speak on behalf of Accredia, I am certain this applies to all CABs 
accredited by Accredia.

As per your observation about the lack of an explicit reference, we were also 
intrigued by this issue at the end of June, so we had already reached out to 
Accredia on July 3rd, 2020 (exactly for the same reason/question). One would 
expect that they would put that in the accreditation documents or references, 
but for some yet unknown reason they don't.

If you feel that this is necessary, we can reach out to them again and provide 
feedback as soon as we get it.

Best regards,
Nikolaos Soumelidis


-----Original Message-----
From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On 
Behalf Of Kathleen Wilson via dev-security-policy
Sent: Wednesday, August 26, 2020 9:55 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Verifying Auditor Qualifications

On 6/3/20 4:20 PM, Kathleen Wilson wrote:
> It recently came to my attention that I need to be more diligent in 
> verifying auditor qualifications.
> <snip>
> https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications

All,

While re-verifying auditor qualifications I have run into the following 
situation, that I will appreciate your opinions on.


https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check

 >> Check 1:  The NAB is listed as “full member” under 
https://european-accreditation.org/ea-members/directory-of-ea-members-and-mla-signatories/

The NAB, Accredia (https://www.accredia.it/) is listed as a "Full Member".


 >> Check 2:  The accreditation documentation was issued by that NAB and 
is hosted on the NAB's website

The accreditation documentation on the NAB's website for a few CABs:

QMSCERT: 
http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=3761

Bureau Veritas Italia: 
http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0663

CSQA: 
http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0010


 >> Check 3: The CABs accreditation documentation explicitly refers to 
all of the following: <ETSI EN 319 403, ETSI EN 319 401, ETSI EN 319 
411-1, and ETSI EN 319 411-2>

This is where I'm running into difficulty. The NAB's accreditation 
documentation does not explicitly state that the CAB is certified to 
audit against those ETSI EN standards.

For each of the CABs listed above, an Allegato (for UNI CEI EN/ISO/IEC 
17065:2012) can be downloaded that says: "TSP (Trust Service Provider) 
and the services they offer compared with (EU Regulation) 910/2014 and / 
or specific provisions adopted by the national authorities for the 
services covered by the Accreditation Scheme."

Which apparently refers to the the following documents that list the 
ETSI EN standards:
Italian: 
https://www.accredia.it/app/uploads/2020/03/Circolare_tecnica_DC_05-2020.pdf
English: 
https://www.accredia.it/app/uploads/2017/03/7015_DC2017SSV046eng.pdf
https://www.accredia.it/documento/circolare-dc-n-82017-informativa-in-merito-allaccreditamento-degli-organismi-di-certificazione-operanti-a-fronte-dei-requisiti-del-regolamento-ue-2014_910-eidas-e-della-norma-etsi-en-319_4/


Is that sufficient evidence that the CAB is certified by the NAB to 
audit according to the ETSI EN 319 403, ETSI EN 319 401, ETSI EN 319 
411-1, and ETSI EN 319 411-2 standards?

Thanks,
Kathleen






_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to