Re: CCADB Updates August 20-24: Policy Document Objects
Here are a couple clarifications about this CCADB update. Please let me know if you run into any problems or have further questions about it. 1) The multiple-policy-documents feature is only available at the root certificate level. 2) Changes to root certificate records and their policy document objects are still only done via Audit Cases. We are aware that we need to enable CAs to provide mid-year updates that are not related to audit statements, and plan to work on that soon. Regarding >> We are already working to fix the AllCertificateRecordsCSVFormat report, which is currently messing up crt.sh/mozilla-disclosures. The report has been fixed. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
On 6/3/20 4:20 PM, Kathleen Wilson wrote: It recently came to my attention that I need to be more diligent in verifying auditor qualifications. https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications All, While re-verifying auditor qualifications I have run into the following situation, that I will appreciate your opinions on. https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check >> Check 1: The NAB is listed as “full member” under https://european-accreditation.org/ea-members/directory-of-ea-members-and-mla-signatories/ The NAB, Accredia (https://www.accredia.it/) is listed as a "Full Member". >> Check 2: The accreditation documentation was issued by that NAB and is hosted on the NAB's website The accreditation documentation on the NAB's website for a few CABs: QMSCERT: http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=3761 Bureau Veritas Italia: http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0663 CSQA: http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0010 >> Check 3: The CABs accreditation documentation explicitly refers to all of the following: 411-1, and ETSI EN 319 411-2> This is where I'm running into difficulty. The NAB's accreditation documentation does not explicitly state that the CAB is certified to audit against those ETSI EN standards. For each of the CABs listed above, an Allegato (for UNI CEI EN/ISO/IEC 17065:2012) can be downloaded that says: "TSP (Trust Service Provider) and the services they offer compared with (EU Regulation) 910/2014 and / or specific provisions adopted by the national authorities for the services covered by the Accreditation Scheme." Which apparently refers to the the following documents that list the ETSI EN standards: Italian: https://www.accredia.it/app/uploads/2020/03/Circolare_tecnica_DC_05-2020.pdf English: https://www.accredia.it/app/uploads/2017/03/7015_DC2017SSV046eng.pdf https://www.accredia.it/documento/circolare-dc-n-82017-informativa-in-merito-allaccreditamento-degli-organismi-di-certificazione-operanti-a-fronte-dei-requisiti-del-regolamento-ue-2014_910-eidas-e-della-norma-etsi-en-319_4/ Is that sufficient evidence that the CAB is certified by the NAB to audit according to the ETSI EN 319 403, ETSI EN 319 401, ETSI EN 319 411-1, and ETSI EN 319 411-2 standards? Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
In a draft template for audit attestations, provided by the ACAB'c, the template would provide a URL to the NAB's certification of the CAB with a statement that the NAB had certified the CAB to perform "certification of trust services according to 'EN ISO/IEC 17065:2012' and 'ETSI EN 319 403 V2.2.2 (2015-08)' " but with a note that the CAB could update the template based on actual certifications received from the NAB. This raises the question of whether NABs typically include ETSI EN 319 401, ETSI EN 319 411-1 and ETSI EN 319 411-2 in such CAB certification records. If not, maybe references to EN ISO/IEC 17065:2012 and ETSI EN 319 403 V2.2.2 (2015-08) would then need to be sufficient. That is something that would be good to know. Thanks, Kathleen On Wed, Aug 26, 2020 at 12:54 PM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 6/3/20 4:20 PM, Kathleen Wilson wrote: > > It recently came to my attention that I need to be more diligent in > > verifying auditor qualifications. > > > > https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications > > All, > > While re-verifying auditor qualifications I have run into the following > situation, that I will appreciate your opinions on. > > > https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check > > >> Check 1: The NAB is listed as “full member” under > > https://european-accreditation.org/ea-members/directory-of-ea-members-and-mla-signatories/ > > The NAB, Accredia (https://www.accredia.it/) is listed as a "Full Member". > > > >> Check 2: The accreditation documentation was issued by that NAB and > is hosted on the NAB's website > > The accreditation documentation on the NAB's website for a few CABs: > > QMSCERT: > > http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=3761 > > Bureau Veritas Italia: > > http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0663 > > CSQA: > > http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0010 > > > >> Check 3: The CABs accreditation documentation explicitly refers to > all of the following: 411-1, and ETSI EN 319 411-2> > > This is where I'm running into difficulty. The NAB's accreditation > documentation does not explicitly state that the CAB is certified to > audit against those ETSI EN standards. > > For each of the CABs listed above, an Allegato (for UNI CEI EN/ISO/IEC > 17065:2012) can be downloaded that says: "TSP (Trust Service Provider) > and the services they offer compared with (EU Regulation) 910/2014 and / > or specific provisions adopted by the national authorities for the > services covered by the Accreditation Scheme." > > Which apparently refers to the the following documents that list the > ETSI EN standards: > Italian: > > https://www.accredia.it/app/uploads/2020/03/Circolare_tecnica_DC_05-2020.pdf > English: > https://www.accredia.it/app/uploads/2017/03/7015_DC2017SSV046eng.pdf > > https://www.accredia.it/documento/circolare-dc-n-82017-informativa-in-merito-allaccreditamento-degli-organismi-di-certificazione-operanti-a-fronte-dei-requisiti-del-regolamento-ue-2014_910-eidas-e-della-norma-etsi-en-319_4/ > > > Is that sufficient evidence that the CAB is certified by the NAB to > audit according to the ETSI EN 319 403, ETSI EN 319 401, ETSI EN 319 > 411-1, and ETSI EN 319 411-2 standards? > > Thanks, > Kathleen > > > > > > > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
On 8/26/20 12:29 PM, Ben Wilson wrote: This raises the question of whether NABs typically include ETSI EN 319 401, ETSI EN 319 411-1 and ETSI EN 319 411-2 in such CAB certification records. The answer to that question is yes, the other NABs typically do list that information directly in the CAB certification records. Here are a few examples: https://www.enac.es/documents/7020/5ae31445-73fa-4e16-acc4-78e079375c4f http://www.ipac.pt/pesquisa/ficha_ocp.asp?id=C0009 http://www.ukas.com/wp-content/uploads/schedule_uploads/00011/00295/0003Product%20Certification.pdf http://www.cofrac.fr/annexes/sect5/5-0597.pdf https://nah.gov.hu/uploads/attachment/file/7913/RO_3_-CERTOP_0034_K_2019_03_28.pdf https://www.dakks.de/as/ast/d/D-ZE-16077-01-00.pdf Cheers, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Verifying Auditor Qualifications
Dear Kathleen, As you accurately pointed out, Accredia's Regulations (Circular No.8/2017 and the updated No.5/2020) enforces the use of ETSI EN 319 403 and the related ETSI EN 319 4xx standards by all its accredited CABs since the beginning of this accreditation. The accreditation regulation is normative document for all CABs accredited by the NAB. In fact, in the case of Accredia, it has several additional requirements which go significantly beyond the requirements imposed by ETSI standards and the eIDAS Regulation (the latter applies for EU Qualified Certificates). I can assure that QMSCERT has been evaluated according to this, and even though I cannot speak on behalf of Accredia, I am certain this applies to all CABs accredited by Accredia. As per your observation about the lack of an explicit reference, we were also intrigued by this issue at the end of June, so we had already reached out to Accredia on July 3rd, 2020 (exactly for the same reason/question). One would expect that they would put that in the accreditation documents or references, but for some yet unknown reason they don't. If you feel that this is necessary, we can reach out to them again and provide feedback as soon as we get it. Best regards, Nikolaos Soumelidis -Original Message- From: dev-security-policy On Behalf Of Kathleen Wilson via dev-security-policy Sent: Wednesday, August 26, 2020 9:55 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Verifying Auditor Qualifications On 6/3/20 4:20 PM, Kathleen Wilson wrote: > It recently came to my attention that I need to be more diligent in > verifying auditor qualifications. > > https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications All, While re-verifying auditor qualifications I have run into the following situation, that I will appreciate your opinions on. https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check >> Check 1: The NAB is listed as “full member” under https://european-accreditation.org/ea-members/directory-of-ea-members-and-mla-signatories/ The NAB, Accredia (https://www.accredia.it/) is listed as a "Full Member". >> Check 2: The accreditation documentation was issued by that NAB and is hosted on the NAB's website The accreditation documentation on the NAB's website for a few CABs: QMSCERT: http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=3761 Bureau Veritas Italia: http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0663 CSQA: http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0010 >> Check 3: The CABs accreditation documentation explicitly refers to all of the following: This is where I'm running into difficulty. The NAB's accreditation documentation does not explicitly state that the CAB is certified to audit against those ETSI EN standards. For each of the CABs listed above, an Allegato (for UNI CEI EN/ISO/IEC 17065:2012) can be downloaded that says: "TSP (Trust Service Provider) and the services they offer compared with (EU Regulation) 910/2014 and / or specific provisions adopted by the national authorities for the services covered by the Accreditation Scheme." Which apparently refers to the the following documents that list the ETSI EN standards: Italian: https://www.accredia.it/app/uploads/2020/03/Circolare_tecnica_DC_05-2020.pdf English: https://www.accredia.it/app/uploads/2017/03/7015_DC2017SSV046eng.pdf https://www.accredia.it/documento/circolare-dc-n-82017-informativa-in-merito-allaccreditamento-degli-organismi-di-certificazione-operanti-a-fronte-dei-requisiti-del-regolamento-ue-2014_910-eidas-e-della-norma-etsi-en-319_4/ Is that sufficient evidence that the CAB is certified by the NAB to audit according to the ETSI EN 319 403, ETSI EN 319 401, ETSI EN 319 411-1, and ETSI EN 319 411-2 standards? Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
On 8/26/20 12:35 PM, Nikolaos Soumelidis wrote: One would expect that they would put that in the accreditation documents or references, That helps answer part of my question -- that it is reasonable to expect the NAB's accreditation document to specifically list these ETSI EN standards. If you feel that this is necessary, we can reach out to them again and provide feedback as soon as we get it. I will greatly appreciate it if you can reach out to them again. Please let me know what information you would need. According to the instructions for verifying ETSI auditor qualifications (https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check) it is necessary that there be something on the NAB's website that clearly indicates that the CAB is accredited to perform audits for those specific standards. So my question in this m.d.s.p forum is: Is the information currently provided by Accredia specific enough, or do we need to get Accredia to update their documentation process? Note that with the exception of 4 CABs accredited by Accredia and 1 CAB accredited by CAI, I was able to complete https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check for the CABs used by CAs in Mozilla's root store. The 5 CABs that I haven't been able to complete the Standard Check for are: - Bureau Veritas Italia S.p.A. - NAB is Accredia - CSQA - NAB is Accredia - KIWA - NAB is Accredia - QMSCERT - NAB is Accredia - QSCert - NAB is CAI Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Verifying Auditor Qualifications
>> I will greatly appreciate it if you can reach out to them again. Please let me know what information you would need. Will definitely do. Probably no other information will be needed by you, but I do appreciate the offer. >> Note that with the exception of 4 CABs accredited by Accredia and 1 CAB accredited by CAI, I was able to complete >> https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check for the CABs used by CAs in Mozilla's root store. The 5 CABs that I haven't been able to complete the Standard Check for are: - Bureau Veritas Italia S.p.A. - NAB is Accredia - CSQA - NAB is Accredia - KIWA - NAB is Accredia - QMSCERT - NAB is Accredia - QSCert - NAB is CAI Please note that in the case of QMSCERT ("A" member of ACAB'C), https://wiki.mozilla.org/CA/Audit_Statements#Simplified_Check applies. Best regards, Nikolaos Soumelidis ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
On 8/26/20 2:01 PM, Nikolaos Soumelidis wrote: I will greatly appreciate it if you can reach out to them again. Please let me know what information you would need. Will definitely do. Probably no other information will be needed by you, but I do appreciate the offer. Thanks! Please note that in the case of QMSCERT ("A" member of ACAB'C), https://wiki.mozilla.org/CA/Audit_Statements#Simplified_Check applies. https://wiki.mozilla.org/CA/Audit_Statements#Simplified_Check "IMPORTANT: At this time, this check may only be used as a preliminary check, and the Standard Check must also be completed." But the ACAB'c list is very helpful, with the direct link to the accreditation attestation for each ACAB. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy