On Fri, Nov 6, 2020 at 12:00 PM Clemens Wanko via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Hi Ryan, hi all,
> three things to comment on that:
>
> 1.      How is the EU ETSI audit scheme thought and what is it intended to
> provide to Mozilla and the CA/Browser ecosystem?

The European scheme of technical standards for CA/TSP developed by ETSI was
> made and is constantly adopted to integrate CA/Browser requirements. The
> main standards I am referring to are: ETSI EN 319 401, EN 319 411-1 and EN
> 319 411-2. With regard to auditor guidance specifically for the CA/Browser
> ecosystem, ETSI even developed and maintains the TS 119 403-2 “Part 2:
> Additional requirements for Conformity Assessment Bodies auditing Trust
> Service Providers that issue Publicly-Trusted Certificates”.
> For auditors using such technical standards Europe has established a well
> thought through scheme based upon organizations (accredited audit bodies)
> which job it is – amongst others – to ensure auditors (the natural person)
> qualification, independence, etc. This scheme turned out to be of high
> trustworthiness, reliability, robustness, etc. And it works very well over
> here since years.
>

I'm sure something is lost in translation, but this does not address any of
the concerns raised. The ETSI standards here are not relevant; voluntary
standards, in and of themselves, are not binding. The fact that a standard
exists is not relevant, since what matters is how the standard is adhered
to and supervised.

Your subsequent statement is simply "Well, they're auditors, people trust
them to do this", without any form of meaningful engagement on the why.
"It's their job to ensure independence" - yes, but that says nothing about
the performance of the job, that your measure of independence is consistent
with another measure, etc. Your entire appeal here simply is "We say we're
trustworthy, so of course we're trustworthy", which would be farcical if it
wasn't presented so seriously.


> 2.      Transparency
> The transparency lies in the European scheme with independent skilled
> bodies auditing each other in order to ensure conformant implementation of
> technical standards as well as of operational requirements for audit bodies
> as well as for the single auditor (natural person).


This is, again, a restatement of "Trust us, because we declared we're
trustworthy". For something such as trust, there's no question of "but
verify". Your appeal to SDOs is not relevant here, because as you and I are
both aware, the SDO just makes (voluntary) standards, and doesn't enforce
them. And this gets to the heart of the matter: the question about how each
of these dimensions are interpreted is something you would prefer the CABs
to self-declare, and the suggestion here is "Sure, you can say that, but
you need to also help us understand why that's true".


> Not only the requirements for the qualification/independence/etc. of the
> auditor (natural person) are clearly defined within the ISO/ETSI but also
> the management requirements of the body in order to ensure that they are
> kept upright – btw. BSI C5 controls, section 4.4.9 is meant similar to
> that.
> Every accredited body is audited at least once a year by its NAB which
> checks conformant audit processing (e.g. according to ISO/IEC17065 in
> combination with ETSI EN 319 403).
>

This is the first time in this e-mail that you remotely come to
establishing a "why". As we both know full well, the authority of the CAB
(and its assessment along these relevant axis in 319 403) is imbued by the
NAB. The authority of the NAB is imbued by EA, established by Regulation
765/2008. The root of trust is, simply stated, "The state mechanisms of the
European Union trusts us, ergo, we are defacto trustworthy".

As a long-time participant in this group, I'm sure you can understand and
appreciate that the "Trust us, we're the government" argument rarely
improves trust. For CAs, we work on the basis of concrete evidence; after
all, this is why we have audits in the first place, even for government
CAs. The argument you're making here is that EA imbued sovereign member
states the ability to establish their NAB, and the NABs are responsible for
supervising the CABs. If we have a complaint with the CAB, the argument
goes, we should complain to the NAB, consistent with the ISO 17065
framework that EN 319 403 is based on.

Yet this misguided argument overlooks a host of salient details, no doubt
because of the convenience in doing so. Unlike, say, the ISAE 3000 approach
to audits, the approach taking by this EA/NAB/CAB chain is much more
limited with respect to a host of professional duties, and only directly
applicable within the contents of 319 403, and the relevant (supervised)
reports, such as 319 411-1. Thus, there's easy opportunity for there to be
a divergence in needs, by a CAB asserting that they are qualified within
the aegis of 319 403/319 411-1 with the necessary technical skills, and
which an individual supervisory body unfortunately accepts, while still
being vastly below the quality expected by the broader Mozilla community.
There is no opportunity for relief in the framework of 17065, because the
fact that the NAB/SB have determined the CAB's skills and reporting as
suitable for eIDAS is all that is required.

All of this, again, rests in a presumption that we "trust, but verify". To
accept the argument that EA/NAB are inviolate and incapable of making
decisions misaligned with community needs is to equally be making the
argument that every government CA should be automatically added, because
they're the government. That's not how this works. That's not how any of
this works.


> Now, requesting more of transparency with regard to auditor qualification
> for Mozilla insinuates this immediately translates into more confidence in
> the auditor. Please lets be careful here. If we like the community to
> follow that, shouldn’t be clearly stated:
>

I can understand and appreciate why, as a CAB used to performing audits
under the ETSI framework, you prefer that everything be a checklist.
Unfortunately, trust is not a checklist, but a preponderance of evidence of
past behavior that can lead to accurate prediction of future behavior. I
can trust you to do X today, because you did X yesterday, the day before,
and the day before that.

The basis for trust is that the CAB should build the evidence as to *why*
they are trustworthy. What makes the CAB relevant for this problem?

To date, your appeal has mostly been "Well, we address this other problem,
and they're satisfied, so clearly, we're qualified to address this
problem", but that's comparing apples to orangutans. Concrete evidence as
to /why/ and /how/ are relevant to being able to say "Yes, that's good
enough", but also to help identify trends and patterns, such as "Oh,
auditors with this skill X, or without this skill Y, consistently produce
this result Z, and that is/is not what we want"

I agree that there is benefit from an appropriate set of principles, but I
reject the assertion at face value that the idea of trust should be reduced
to a checklist, whether it's CAs or auditors. As a long-time participant,
you know exactly that the process of trust is not binary, and considers a
host of factors, some discretionary. Reducing these complex decisions to
binary decisions is exactly the direction root stores have spent
considerable effort moving away from over the past two decades, because of
the myriad security problems, and it'd be naive to suggest it somehow
appropriate for auditors.


> 3.      Requiring all their externally-operated subordinate CAs review
> their auditors
> You said:
> quote  <<< That sounds like a great idea, and sounds like a good
> compliment to an approach that several (Root) CAs have taken, of requiring
> all their externally-operated subordinate CAs review their auditors and
> audit scope with the root CAO, before finalizing the audit engagement.
> An example of how the public review has been done in the past is available
> at
> https://groups.google.com/g/mozilla.dev.security.policy/c/sRJOPiePUvI/m/oRmRffaQmcYJ
> >>>
>
> If we like to suggest that, wouldn’t we then not also need to state at
> least
> 1st  based upon what rule-set we like the CA to review auditors,
> 2nd what competences are required at CA level to validate auditors and how
> those shall be established and maintained,
> 3rd how the CA is required to do that with regard to process and timing?
> In order to be clear and transparent, things like these would need to be
> defined at CA level then.
>

This is certainly "an" approach that can be used, and I do want to
acknowledge that. But it's not the only way this problem can be solved, and
I worry that this suffers from the many deficiencies that are addressed
earlier in this mail.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
  • Policy 2.7.1: MRSP Issue #1... Ben Wilson via dev-security-policy
    • Re: Policy 2.7.1: MRSP... Clemens Wanko via dev-security-policy
      • Re: Policy 2.7.1: ... Ryan Sleevi via dev-security-policy
        • Re: Policy 2.7... Wojtek Porczyk via dev-security-policy
          • Re: Policy... Ryan Sleevi via dev-security-policy
          • Re: Policy... Clemens Wanko via dev-security-policy
            • Re: P... Ryan Sleevi via dev-security-policy
              • R... Dimitris Zacharopoulos via dev-security-policy
                • ... Ryan Sleevi via dev-security-policy
                • ... Dimitris Zacharopoulos via dev-security-policy
                • ... Ryan Sleevi via dev-security-policy
                • ... Dimitris Zacharopoulos via dev-security-policy
                • ... Ben Wilson via dev-security-policy
                • ... Dimitris Zacharopoulos via dev-security-policy
            • Re: P... Clemens Wanko via dev-security-policy
              • R... Ryan Sleevi via dev-security-policy
                • ... Kathleen Wilson via dev-security-policy

Reply via email to