Re: Verifying Auditor Qualifications
On 10/11/20 11:06 PM, Nikolaos Soumelidis wrote: Dear Kathleen, We have been informed by ACCREDIA that the accreditation pages have now been updated to include ETSI EN 319 403. This removes any ambiguity. URLs remain the same; for example, QMSCERT's accreditation: https://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=3761&PPSEARCH_ORG_SEARCH_MASK_SCHEMI=&PPSEARCH_ORG_SEARCH_MASK_SCHEMI_ALTRI=&PPSEARCH_ODC_SEARCH_MASK_SETTORE_ACCR=&PPSEARCH_ORG_SEARCH_MASK_CITTA=&PPSEARCH_ORG_SEARCH_MASK_PROVINCIA=&PPSEARCH_ORG_SEARCH_MASK_REGIONE=&PPSEARCH_ORG_SEARCH_MASK_STATO=&orgtype=all&PPSEARCH_ORG_SEARCH_MASK_SCOPO=&PPSEARCH_ORG_SEARCH_MASK_PDFACCREDITAMENTO=&submitBtn=Cerca From a quick check, this applies for the other ACCREDIA CABs as well. In addition to the above fix, the new accreditation documents will include similar explicit references. Best regards, Nikolaos Soumelidis Thanks for letting me know. I have updated the corresponding auditor qualifications in the CCADB, since ACCREDIA now provides the required information directly on their website. Thanks! Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Verifying Auditor Qualifications
Dear Kathleen, We have been informed by ACCREDIA that the accreditation pages have now been updated to include ETSI EN 319 403. This removes any ambiguity. URLs remain the same; for example, QMSCERT's accreditation: https://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=3761&PPSEARCH_ORG_SEARCH_MASK_SCHEMI=&PPSEARCH_ORG_SEARCH_MASK_SCHEMI_ALTRI=&PPSEARCH_ODC_SEARCH_MASK_SETTORE_ACCR=&PPSEARCH_ORG_SEARCH_MASK_CITTA=&PPSEARCH_ORG_SEARCH_MASK_PROVINCIA=&PPSEARCH_ORG_SEARCH_MASK_REGIONE=&PPSEARCH_ORG_SEARCH_MASK_STATO=&orgtype=all&PPSEARCH_ORG_SEARCH_MASK_SCOPO=&PPSEARCH_ORG_SEARCH_MASK_PDFACCREDITAMENTO=&submitBtn=Cerca >From a quick check, this applies for the other ACCREDIA CABs as well. In addition to the above fix, the new accreditation documents will include similar explicit references. Best regards, Nikolaos Soumelidis -Original Message- From: dev-security-policy On Behalf Of Kathleen Wilson via dev-security-policy Sent: Tuesday, September 1, 2020 9:47 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Verifying Auditor Qualifications On 8/31/20 11:07 AM, Kathleen Wilson wrote: > On 8/28/20 3:59 PM, Kathleen Wilson wrote: >> On 8/26/20 1:41 PM, Kathleen Wilson wrote: >>> The 5 CABs that I haven't been able to complete the Standard Check >>> for are: >>> >>> - Bureau Veritas Italia S.p.A. - NAB is Accredia >>> - CSQA - NAB is Accredia >>> - KIWA - NAB is Accredia >>> - QMSCERT - NAB is Accredia >>> - QSCert - NAB is CAI >>> >> >> Update: I received email from Accredia declaring the ETSI EN >> standards that the KIWA CAB is accredited for. I think it is >> reasonable to accept that for this auditor's re-verification. And I >> have asked that KIWA request Accredia to provide this information >> directly on their website for future reference. > > > Updates: > > 1) I received email from Accredia declaring the ETSI EN standards that > the QMSCERT CAB is accredited for, and I will accept that for now. > > 2) The email from Accredia also said "We are working to provide this > information directly on our website for future references." > > 3) > https://ec.europa.eu/futurium/en/content/list-conformity-assessment-bo > dies-cabs-accredited-against-requirements-eidas-regulation > was updated to provide the updated > list_of_eidas_accredited_cabs-2020-08-28.pdf > > Note: The > https://ec.europa.eu/futurium/en/content/list-conformity-assessment-bo > dies-cabs-accredited-against-requirements-eidas-regulation > site says: > "Please note that the list is an informative tool." > So, the list_of_eidas_accredited_cabs-2020-08-28.pdf is not in itself > sufficient proof of a CAB's qualifications. It is very helpful in > making it easy to find the NAB and CAB accreditation information, but > we must still check the NAB and CAB accreditation information and make > sure the CAB accreditation document lists the ETSI EN 319 403, ETSI EN > 319 401, ETSI EN 319 411-1, and ETSI EN 319 411-2 standards as per > https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check > > Thanks to all of you who have been helping with this! > > Kathleen Update: I received email from Accredia declaring the ETSI EN standards that the Bureau Veritas Italia S.p.A. and CSQA CABs are accredited for, and I will accept those for now. So the remaining CAB that I still need to verify is QSCert, and I filed the following bug for it: https://bugzilla.mozilla.org/show_bug.cgi?id=1662533 Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
On 8/31/20 11:07 AM, Kathleen Wilson wrote: On 8/28/20 3:59 PM, Kathleen Wilson wrote: On 8/26/20 1:41 PM, Kathleen Wilson wrote: The 5 CABs that I haven't been able to complete the Standard Check for are: - Bureau Veritas Italia S.p.A. - NAB is Accredia - CSQA - NAB is Accredia - KIWA - NAB is Accredia - QMSCERT - NAB is Accredia - QSCert - NAB is CAI Update: I received email from Accredia declaring the ETSI EN standards that the KIWA CAB is accredited for. I think it is reasonable to accept that for this auditor's re-verification. And I have asked that KIWA request Accredia to provide this information directly on their website for future reference. Updates: 1) I received email from Accredia declaring the ETSI EN standards that the QMSCERT CAB is accredited for, and I will accept that for now. 2) The email from Accredia also said "We are working to provide this information directly on our website for future references." 3) https://ec.europa.eu/futurium/en/content/list-conformity-assessment-bodies-cabs-accredited-against-requirements-eidas-regulation was updated to provide the updated list_of_eidas_accredited_cabs-2020-08-28.pdf Note: The https://ec.europa.eu/futurium/en/content/list-conformity-assessment-bodies-cabs-accredited-against-requirements-eidas-regulation site says: "Please note that the list is an informative tool." So, the list_of_eidas_accredited_cabs-2020-08-28.pdf is not in itself sufficient proof of a CAB's qualifications. It is very helpful in making it easy to find the NAB and CAB accreditation information, but we must still check the NAB and CAB accreditation information and make sure the CAB accreditation document lists the ETSI EN 319 403, ETSI EN 319 401, ETSI EN 319 411-1, and ETSI EN 319 411-2 standards as per https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check Thanks to all of you who have been helping with this! Kathleen Update: I received email from Accredia declaring the ETSI EN standards that the Bureau Veritas Italia S.p.A. and CSQA CABs are accredited for, and I will accept those for now. So the remaining CAB that I still need to verify is QSCert, and I filed the following bug for it: https://bugzilla.mozilla.org/show_bug.cgi?id=1662533 Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
On 8/28/20 3:59 PM, Kathleen Wilson wrote: On 8/26/20 1:41 PM, Kathleen Wilson wrote: The 5 CABs that I haven't been able to complete the Standard Check for are: - Bureau Veritas Italia S.p.A. - NAB is Accredia - CSQA - NAB is Accredia - KIWA - NAB is Accredia - QMSCERT - NAB is Accredia - QSCert - NAB is CAI Update: I received email from Accredia declaring the ETSI EN standards that the KIWA CAB is accredited for. I think it is reasonable to accept that for this auditor's re-verification. And I have asked that KIWA request Accredia to provide this information directly on their website for future reference. Updates: 1) I received email from Accredia declaring the ETSI EN standards that the QMSCERT CAB is accredited for, and I will accept that for now. 2) The email from Accredia also said "We are working to provide this information directly on our website for future references." 3) https://ec.europa.eu/futurium/en/content/list-conformity-assessment-bodies-cabs-accredited-against-requirements-eidas-regulation was updated to provide the updated list_of_eidas_accredited_cabs-2020-08-28.pdf Note: The https://ec.europa.eu/futurium/en/content/list-conformity-assessment-bodies-cabs-accredited-against-requirements-eidas-regulation site says: "Please note that the list is an informative tool." So, the list_of_eidas_accredited_cabs-2020-08-28.pdf is not in itself sufficient proof of a CAB's qualifications. It is very helpful in making it easy to find the NAB and CAB accreditation information, but we must still check the NAB and CAB accreditation information and make sure the CAB accreditation document lists the ETSI EN 319 403, ETSI EN 319 401, ETSI EN 319 411-1, and ETSI EN 319 411-2 standards as per https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check Thanks to all of you who have been helping with this! Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
On 8/26/20 1:41 PM, Kathleen Wilson wrote: The 5 CABs that I haven't been able to complete the Standard Check for are: - Bureau Veritas Italia S.p.A. - NAB is Accredia - CSQA - NAB is Accredia - KIWA - NAB is Accredia - QMSCERT - NAB is Accredia - QSCert - NAB is CAI Update: I received email from Accredia declaring the ETSI EN standards that the KIWA CAB is accredited for. I think it is reasonable to accept that for this auditor's re-verification. And I have asked that KIWA request Accredia to provide this information directly on their website for future reference. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
On 8/26/20 2:01 PM, Nikolaos Soumelidis wrote: I will greatly appreciate it if you can reach out to them again. Please let me know what information you would need. Will definitely do. Probably no other information will be needed by you, but I do appreciate the offer. Thanks! Please note that in the case of QMSCERT ("A" member of ACAB'C), https://wiki.mozilla.org/CA/Audit_Statements#Simplified_Check applies. https://wiki.mozilla.org/CA/Audit_Statements#Simplified_Check "IMPORTANT: At this time, this check may only be used as a preliminary check, and the Standard Check must also be completed." But the ACAB'c list is very helpful, with the direct link to the accreditation attestation for each ACAB. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Verifying Auditor Qualifications
>> I will greatly appreciate it if you can reach out to them again. Please let me know what information you would need. Will definitely do. Probably no other information will be needed by you, but I do appreciate the offer. >> Note that with the exception of 4 CABs accredited by Accredia and 1 CAB accredited by CAI, I was able to complete >> https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check for the CABs used by CAs in Mozilla's root store. The 5 CABs that I haven't been able to complete the Standard Check for are: - Bureau Veritas Italia S.p.A. - NAB is Accredia - CSQA - NAB is Accredia - KIWA - NAB is Accredia - QMSCERT - NAB is Accredia - QSCert - NAB is CAI Please note that in the case of QMSCERT ("A" member of ACAB'C), https://wiki.mozilla.org/CA/Audit_Statements#Simplified_Check applies. Best regards, Nikolaos Soumelidis ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
On 8/26/20 12:35 PM, Nikolaos Soumelidis wrote: One would expect that they would put that in the accreditation documents or references, That helps answer part of my question -- that it is reasonable to expect the NAB's accreditation document to specifically list these ETSI EN standards. If you feel that this is necessary, we can reach out to them again and provide feedback as soon as we get it. I will greatly appreciate it if you can reach out to them again. Please let me know what information you would need. According to the instructions for verifying ETSI auditor qualifications (https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check) it is necessary that there be something on the NAB's website that clearly indicates that the CAB is accredited to perform audits for those specific standards. So my question in this m.d.s.p forum is: Is the information currently provided by Accredia specific enough, or do we need to get Accredia to update their documentation process? Note that with the exception of 4 CABs accredited by Accredia and 1 CAB accredited by CAI, I was able to complete https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check for the CABs used by CAs in Mozilla's root store. The 5 CABs that I haven't been able to complete the Standard Check for are: - Bureau Veritas Italia S.p.A. - NAB is Accredia - CSQA - NAB is Accredia - KIWA - NAB is Accredia - QMSCERT - NAB is Accredia - QSCert - NAB is CAI Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Verifying Auditor Qualifications
Dear Kathleen, As you accurately pointed out, Accredia's Regulations (Circular No.8/2017 and the updated No.5/2020) enforces the use of ETSI EN 319 403 and the related ETSI EN 319 4xx standards by all its accredited CABs since the beginning of this accreditation. The accreditation regulation is normative document for all CABs accredited by the NAB. In fact, in the case of Accredia, it has several additional requirements which go significantly beyond the requirements imposed by ETSI standards and the eIDAS Regulation (the latter applies for EU Qualified Certificates). I can assure that QMSCERT has been evaluated according to this, and even though I cannot speak on behalf of Accredia, I am certain this applies to all CABs accredited by Accredia. As per your observation about the lack of an explicit reference, we were also intrigued by this issue at the end of June, so we had already reached out to Accredia on July 3rd, 2020 (exactly for the same reason/question). One would expect that they would put that in the accreditation documents or references, but for some yet unknown reason they don't. If you feel that this is necessary, we can reach out to them again and provide feedback as soon as we get it. Best regards, Nikolaos Soumelidis -Original Message- From: dev-security-policy On Behalf Of Kathleen Wilson via dev-security-policy Sent: Wednesday, August 26, 2020 9:55 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Verifying Auditor Qualifications On 6/3/20 4:20 PM, Kathleen Wilson wrote: > It recently came to my attention that I need to be more diligent in > verifying auditor qualifications. > > https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications All, While re-verifying auditor qualifications I have run into the following situation, that I will appreciate your opinions on. https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check >> Check 1: The NAB is listed as “full member” under https://european-accreditation.org/ea-members/directory-of-ea-members-and-mla-signatories/ The NAB, Accredia (https://www.accredia.it/) is listed as a "Full Member". >> Check 2: The accreditation documentation was issued by that NAB and is hosted on the NAB's website The accreditation documentation on the NAB's website for a few CABs: QMSCERT: http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=3761 Bureau Veritas Italia: http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0663 CSQA: http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0010 >> Check 3: The CABs accreditation documentation explicitly refers to all of the following: This is where I'm running into difficulty. The NAB's accreditation documentation does not explicitly state that the CAB is certified to audit against those ETSI EN standards. For each of the CABs listed above, an Allegato (for UNI CEI EN/ISO/IEC 17065:2012) can be downloaded that says: "TSP (Trust Service Provider) and the services they offer compared with (EU Regulation) 910/2014 and / or specific provisions adopted by the national authorities for the services covered by the Accreditation Scheme." Which apparently refers to the the following documents that list the ETSI EN standards: Italian: https://www.accredia.it/app/uploads/2020/03/Circolare_tecnica_DC_05-2020.pdf English: https://www.accredia.it/app/uploads/2017/03/7015_DC2017SSV046eng.pdf https://www.accredia.it/documento/circolare-dc-n-82017-informativa-in-merito-allaccreditamento-degli-organismi-di-certificazione-operanti-a-fronte-dei-requisiti-del-regolamento-ue-2014_910-eidas-e-della-norma-etsi-en-319_4/ Is that sufficient evidence that the CAB is certified by the NAB to audit according to the ETSI EN 319 403, ETSI EN 319 401, ETSI EN 319 411-1, and ETSI EN 319 411-2 standards? Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
On 8/26/20 12:29 PM, Ben Wilson wrote: This raises the question of whether NABs typically include ETSI EN 319 401, ETSI EN 319 411-1 and ETSI EN 319 411-2 in such CAB certification records. The answer to that question is yes, the other NABs typically do list that information directly in the CAB certification records. Here are a few examples: https://www.enac.es/documents/7020/5ae31445-73fa-4e16-acc4-78e079375c4f http://www.ipac.pt/pesquisa/ficha_ocp.asp?id=C0009 http://www.ukas.com/wp-content/uploads/schedule_uploads/00011/00295/0003Product%20Certification.pdf http://www.cofrac.fr/annexes/sect5/5-0597.pdf https://nah.gov.hu/uploads/attachment/file/7913/RO_3_-CERTOP_0034_K_2019_03_28.pdf https://www.dakks.de/as/ast/d/D-ZE-16077-01-00.pdf Cheers, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
In a draft template for audit attestations, provided by the ACAB'c, the template would provide a URL to the NAB's certification of the CAB with a statement that the NAB had certified the CAB to perform "certification of trust services according to 'EN ISO/IEC 17065:2012' and 'ETSI EN 319 403 V2.2.2 (2015-08)' " but with a note that the CAB could update the template based on actual certifications received from the NAB. This raises the question of whether NABs typically include ETSI EN 319 401, ETSI EN 319 411-1 and ETSI EN 319 411-2 in such CAB certification records. If not, maybe references to EN ISO/IEC 17065:2012 and ETSI EN 319 403 V2.2.2 (2015-08) would then need to be sufficient. That is something that would be good to know. Thanks, Kathleen On Wed, Aug 26, 2020 at 12:54 PM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 6/3/20 4:20 PM, Kathleen Wilson wrote: > > It recently came to my attention that I need to be more diligent in > > verifying auditor qualifications. > > > > https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications > > All, > > While re-verifying auditor qualifications I have run into the following > situation, that I will appreciate your opinions on. > > > https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check > > >> Check 1: The NAB is listed as “full member” under > > https://european-accreditation.org/ea-members/directory-of-ea-members-and-mla-signatories/ > > The NAB, Accredia (https://www.accredia.it/) is listed as a "Full Member". > > > >> Check 2: The accreditation documentation was issued by that NAB and > is hosted on the NAB's website > > The accreditation documentation on the NAB's website for a few CABs: > > QMSCERT: > > http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=3761 > > Bureau Veritas Italia: > > http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0663 > > CSQA: > > http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0010 > > > >> Check 3: The CABs accreditation documentation explicitly refers to > all of the following: 411-1, and ETSI EN 319 411-2> > > This is where I'm running into difficulty. The NAB's accreditation > documentation does not explicitly state that the CAB is certified to > audit against those ETSI EN standards. > > For each of the CABs listed above, an Allegato (for UNI CEI EN/ISO/IEC > 17065:2012) can be downloaded that says: "TSP (Trust Service Provider) > and the services they offer compared with (EU Regulation) 910/2014 and / > or specific provisions adopted by the national authorities for the > services covered by the Accreditation Scheme." > > Which apparently refers to the the following documents that list the > ETSI EN standards: > Italian: > > https://www.accredia.it/app/uploads/2020/03/Circolare_tecnica_DC_05-2020.pdf > English: > https://www.accredia.it/app/uploads/2017/03/7015_DC2017SSV046eng.pdf > > https://www.accredia.it/documento/circolare-dc-n-82017-informativa-in-merito-allaccreditamento-degli-organismi-di-certificazione-operanti-a-fronte-dei-requisiti-del-regolamento-ue-2014_910-eidas-e-della-norma-etsi-en-319_4/ > > > Is that sufficient evidence that the CAB is certified by the NAB to > audit according to the ETSI EN 319 403, ETSI EN 319 401, ETSI EN 319 > 411-1, and ETSI EN 319 411-2 standards? > > Thanks, > Kathleen > > > > > > > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
On 6/3/20 4:20 PM, Kathleen Wilson wrote: It recently came to my attention that I need to be more diligent in verifying auditor qualifications. https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications All, While re-verifying auditor qualifications I have run into the following situation, that I will appreciate your opinions on. https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check >> Check 1: The NAB is listed as “full member” under https://european-accreditation.org/ea-members/directory-of-ea-members-and-mla-signatories/ The NAB, Accredia (https://www.accredia.it/) is listed as a "Full Member". >> Check 2: The accreditation documentation was issued by that NAB and is hosted on the NAB's website The accreditation documentation on the NAB's website for a few CABs: QMSCERT: http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=3761 Bureau Veritas Italia: http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0663 CSQA: http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0010 >> Check 3: The CABs accreditation documentation explicitly refers to all of the following: 411-1, and ETSI EN 319 411-2> This is where I'm running into difficulty. The NAB's accreditation documentation does not explicitly state that the CAB is certified to audit against those ETSI EN standards. For each of the CABs listed above, an Allegato (for UNI CEI EN/ISO/IEC 17065:2012) can be downloaded that says: "TSP (Trust Service Provider) and the services they offer compared with (EU Regulation) 910/2014 and / or specific provisions adopted by the national authorities for the services covered by the Accreditation Scheme." Which apparently refers to the the following documents that list the ETSI EN standards: Italian: https://www.accredia.it/app/uploads/2020/03/Circolare_tecnica_DC_05-2020.pdf English: https://www.accredia.it/app/uploads/2017/03/7015_DC2017SSV046eng.pdf https://www.accredia.it/documento/circolare-dc-n-82017-informativa-in-merito-allaccreditamento-degli-organismi-di-certificazione-operanti-a-fronte-dei-requisiti-del-regolamento-ue-2014_910-eidas-e-della-norma-etsi-en-319_4/ Is that sufficient evidence that the CAB is certified by the NAB to audit according to the ETSI EN 319 403, ETSI EN 319 401, ETSI EN 319 411-1, and ETSI EN 319 411-2 standards? Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
On Mon, Jul 20, 2020 at 10:27 AM Arvid Vermote via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > ACAB'c is a group of a few eIDAS CABs working together for reasons, they > do not represent all eIDAS CABs neither do they have any recognized or > official function within the eIDAS ecosystem. > Can the ACAB'c member list be relied upon as being accurate and providing > correct and latest information on the accreditation status of member CABs? > It’s a manual list maintained based on membership applications and their > acceptance. Isn't the only current accurate source of accredited eIDAS CAB > the 20+ governmental NABs of participating EU countries that are designated > to accredit and supervise eIDAS CAB? > > Without any visible added value or clear and transparent insights on what > supervisory function they perform within the context of the WebPKI > ecosystem (filtering which eIDAS CAB and reports are > acceptable/qualitiative?), why would a specific subset of eIDAS CAB be > promoted over other eIDAS CAB? Parties that are interested in becoming a > WebPKI CA or maintaining that status often go look at root program > requirements as a first source to understand what needs to be done, > including what audit attestations that need to be obtained and which > parties can provide these. > > I have difficulties understanding what current reason there is to refer to > the ACAB'c and why the "simplified check" seems to suggest only ACAB'c > member audit reports are accepted. So, I think you make some great points, but I also think this highlights some confusion that might be worth addressing. Why would their role within the eIDAS ecosystem have any bearing? We know that the eIDAS ecosystem is an alternative trust framework for solving a different set of problems than browsers are trying to solve. Which is totally OK, but like... it's a bit like saying "The ACAB'c doesn't have a recognized or official function within the Adobe Document Signing Trust Framework" and... so? I think it's reasonable to imagine that if ACAB'c were to provide a similar model as WebTrust, there might be value in deferring to them *instead of* the eIDAS ecosystem. I do believe it's entirely a mistake to defer to the eIDAS ecosystem at all, presently, for the same reason I think it'd be a mistake to defer to, say, the banking industry's use of ISO 21188 or the ASC X.9 work. They're separate PKIs with separate goals, and it's totally OK for eIDAS to do their thing. If ACAB'c were, as you suggest, to provide filtering of reports, provide normative guidance and enforcement in the same way that, say, AICPA or CPA Canada provide with respect to their practitioner standards, and similarly provide a level of assurance similar to WebTrust licensure, it could make sense. But I think your criticisms here of ACAB'c are equally criticisms that could be lobbed at WebTrust, since it's "just" a brand by CPA Canada, and in theory, "any" auditor participating under IFAC 'could' also provide audits. That's no different than the discussion here. However, I do think you're right, whether intentional or not, in pointing out that the eIDAS ecosystem lacks many of the essential properties that a _browser_ trust framework relies upon, and that's why I again suggest that the degree to which ETSI-based audits are accepted should be strongly curtailed, if not outright prevented. There are too many gaps in the professional standards, both within ETSI and within the underlying ISO standards that ETSI builds upon, to provide sufficient assurance. Pivoting to browser-initiated and/or browser-contracted audits is perhaps the single most impactful move that could be made with audits. Second to that is the WebTrust TF's Detailed Control Reports, which I believe should be required of all CAs. I don't believe ETSI is even capable of producing a remotely comparable equivalent. This is because ETSI is not a group of CABs with professional expertise, but an otherwise 'neutral' (albeit pay-to-play) SDO. Browsers notable lack of absence within ETSI (in part, due to the pay-for-play nature) mean that it's unlikely ETSI will produce a standard that reflects browsers needs, but even if browsers were to participate, it would be the same amount of work as if they just produced such a document themselves with the CABs. At least, in this regard, ACAB'c has a chance of success in producing something comparable: by being CABs with a vested interest in producing a service useful to and relied upon by browsers, they may choose to engage with browsers and work to provide a useful audit and reporting framework. But, again, the eIDAS ecosystem largely has no bearing on this. Even the accreditation, against the ETSI ESI standards used to fulfill the eIDAS Regulation, doesn't really provide much assurance, as Supervisory Bodies are currently seeing. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.o
RE: Verifying Auditor Qualifications
ACAB'c is a group of a few eIDAS CABs working together for reasons, they do not represent all eIDAS CABs neither do they have any recognized or official function within the eIDAS ecosystem. Can the ACAB'c member list be relied upon as being accurate and providing correct and latest information on the accreditation status of member CABs? It’s a manual list maintained based on membership applications and their acceptance. Isn't the only current accurate source of accredited eIDAS CAB the 20+ governmental NABs of participating EU countries that are designated to accredit and supervise eIDAS CAB? Without any visible added value or clear and transparent insights on what supervisory function they perform within the context of the WebPKI ecosystem (filtering which eIDAS CAB and reports are acceptable/qualitiative?), why would a specific subset of eIDAS CAB be promoted over other eIDAS CAB? Parties that are interested in becoming a WebPKI CA or maintaining that status often go look at root program requirements as a first source to understand what needs to be done, including what audit attestations that need to be obtained and which parties can provide these. I have difficulties understanding what current reason there is to refer to the ACAB'c and why the "simplified check" seems to suggest only ACAB'c member audit reports are accepted. > -Original Message- > From: dev-security-policy On > Behalf Of Nicholas Knight via dev-security-policy > Sent: maandag 13 juli 2020 15:31 > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Verifying Auditor Qualifications > > It seems exceptionally strange to me that what, from all appearances, is a 4 > year > old advocacy body for auditors could be considered an authoritative source. > ACAB’c does not seem to have done anything at all to acquire the extremely > high > level of credibility such a source needs. > > The idea that an association of auditors can’t keep its website and charter > up to > date does nothing to dispel doubt, and is in fact evidence that ACAB’c is not > capable of its claimed functions. > > I see no browsers or anyone else can rely on ACAB’c, or should. It was not > formed > for that purpose and there is no evidence it even understands that purpose. I > suggest that if they intend to perform this function, it is necessary to > start over > with a new organization with a new charter and new leadership. > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
It seems exceptionally strange to me that what, from all appearances, is a 4 year old advocacy body for auditors could be considered an authoritative source. ACAB’c does not seem to have done anything at all to acquire the extremely high level of credibility such a source needs. The idea that an association of auditors can’t keep its website and charter up to date does nothing to dispel doubt, and is in fact evidence that ACAB’c is not capable of its claimed functions. I see no browsers or anyone else can rely on ACAB’c, or should. It was not formed for that purpose and there is no evidence it even understands that purpose. I suggest that if they intend to perform this function, it is necessary to start over with a new organization with a new charter and new leadership. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
Hi Ryan, thanks for your post. And certainly yes: it’s our first goal to serve the needs of our actual consumers. The browsers belong to those in the front row. We are aware of that as we are aware that there is space for improvement for the council. With regard to your statement to our webpage and the EN 319403 in our documented rules, we are updating that, to be fully clear on entry conditions for our accredited CAB as well as for the requirements an guidelines we follow throughout our audit work. But just to be clear on that: all ACAB’c members were and will be checked to be accredited according ETSI EN 319403 as well. What I like to encourage the browsers to do is, to keep on staying in touch with us and share your demands, concerns and ideas with us. We shall be more than happy to discuss those with you in order to strengthen the trust as you are saying it. Please feel free to use me personally as entry point in the meanwhile as we at ACAB’c are about to migrate our technical infrastructure to a new platform which may cause additional delays otherwise. I will share the communication we are having amongst the member CABs and come up with a response. All the best Clemens @ the ACAB council ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
On Fri, Jul 3, 2020 at 6:14 AM clemens.wanko--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > All, > on behalf of the Accredited Conformity Assessment Bodies council we would > like to provide the following background information to the guideline > “Verifying ETSI Auditor Qualification” as stated here: > > https://wiki.mozilla.org/CA/Audit_Statements#Verifying_ETSI_Auditor_Qualifications > > The guideline explains the path for a formal verification of the > ETSI/eIDAS Auditor’s qualification through verification of corresponding > evidence. > The ACAB council is capable and happy to support this process in the > following way: > > o every CAB member of the council must be accredited according IEC/ISO > 17065 in conjunction with eIDAS Art. 3.18 and ETSI EN 319 403 or ETSI EN > 319 403-1 respectively. During the membership application and verification > process for the ACAB council, the applicant has to provide corresponding > evidence which are carefully checked. This is not what your charter says, nor what your website says. https://www.acab-c.com/app/download/5811554709/ACABc+Charter_V3.pdf https://www.acab-c.com/acab-c-members/ o ACAB’c members must incorporate and follow ETSI EN 319 403 for ETSI > audits. Especially for publicly trusted certificates, Part 2 of EN 319403 > must be followed which covers all additional requirements for Conformity > Assessment Bodies auditing Trust Service Providers that issue > Publicly-Trusted Certificates. In simple words, this means that it is > mandatory for the relevant Browser requirements incorporated by ETSI, to be > followed by an accredited CAB member of ACAB’c. This is not what your charter says. All this is considered and explicitly stated for the “Simplified check” > under 1. in the guideline: member CABs were checked following the “Standard > Check” which includes the ETSI EN 319 403 (…403-1/-2) referrer in the > accreditation documentation. The standard check is performed by ACAB’c as > described in the guideline and we certainly want to support the community > to rely on that. Hence, all CAB members of ACAB’C comply with the > accreditation requirements stated above. Where is the public evidence that this is true. I’m not disputing that this could be, and probably is, true. But there’s zero actual evidence for this that I can see, beyond your assurances here. And this is part of my abiding concern with the ETSI approach to audits, because we get grand assurances but when we actually look for them, they aren’t there. If we’re going to rely on ACAB’c, we need strong evidence of the claims here, not a well-intentioned post from an ACAB’c member. The task to verify that a conformity assessment body fulfils all normative > requirements, has necessary competences, etc. is performed by the National > Accreditation Bodies (NAB). Only if the CAB demonstrates their compliance > to the normative requirements (see above) they receive their accreditation > and/or can keep it upright. And time and time again, we’ve said that the NAB is *not* ensuring these requirements, because they aren’t as you described. The NAB ensures the requirements with respect to the notified scheme. Even if the CAB assessment is based on the ETSI assessment criteria for CABs, that still doesn’t provide any guarantee the CAB is using a scheme for assessing TSPs that is based on the ETSI criteria. The decision on the qualifications of an auditor is not done by ACAB’c but > the NAB which regularly checks the capabilities of the audit against the > requirements of EN 319 403. Citation Needed. But also, as I said above, 403 isn’t the relevant portion here. All that ACAB’c does is simplify the representation of accreditation by > bringing together information from the accreditation bodies. The full check > can always be made to confirm the information provided by ACAB’c. > > Standardisation for Trust Services (CA) under the European Scheme is > typically performed by the organizations ETSI or CEN or ISO/IEC. The ACAB > council is not a standardization organization. Yes, we know. I don’t understand why this was even included. It fits with my broader complaint against the ETSI ESI liaisons in the CABF: that every CABF, we get a recital of what ETSI is and isn’t and how NABs and CABs work, while the needs of the actual consumers go unmet and unaddressed. Look, as I said to Kathleen, I’m not unoppposed in spirit. But the statements you’ve made about what ACAB’c is, or what assurances it provides, are not backed up by what ACAB’c says and documents on its website. If the ACAB’c agrees that you’ve accurately represented things, it should be trivial to document these things within your charter. Unfortunately, for the many encouraging promises browsers have received from ACAB’c, there’s a worrying lack of substance or independent verification. The only statement supporting what you’ve claimed is as a footnote at https://www.acab-c.com that does not have
Re: Verifying Auditor Qualifications
All, on behalf of the Accredited Conformity Assessment Bodies council we would like to provide the following background information to the guideline “Verifying ETSI Auditor Qualification” as stated here: https://wiki.mozilla.org/CA/Audit_Statements#Verifying_ETSI_Auditor_Qualifications The guideline explains the path for a formal verification of the ETSI/eIDAS Auditor’s qualification through verification of corresponding evidence. The ACAB council is capable and happy to support this process in the following way: o every CAB member of the council must be accredited according IEC/ISO 17065 in conjunction with eIDAS Art. 3.18 and ETSI EN 319 403 or ETSI EN 319 403-1 respectively. During the membership application and verification process for the ACAB council, the applicant has to provide corresponding evidence which are carefully checked. o ACAB’c members must incorporate and follow ETSI EN 319 403 for ETSI audits. Especially for publicly trusted certificates, Part 2 of EN 319403 must be followed which covers all additional requirements for Conformity Assessment Bodies auditing Trust Service Providers that issue Publicly-Trusted Certificates. In simple words, this means that it is mandatory for the relevant Browser requirements incorporated by ETSI, to be followed by an accredited CAB member of ACAB’c. All this is considered and explicitly stated for the “Simplified check” under 1. in the guideline: member CABs were checked following the “Standard Check” which includes the ETSI EN 319 403 (…403-1/-2) referrer in the accreditation documentation. The standard check is performed by ACAB’c as described in the guideline and we certainly want to support the community to rely on that. Hence, all CAB members of ACAB’C comply with the accreditation requirements stated above. The task to verify that a conformity assessment body fulfils all normative requirements, has necessary competences, etc. is performed by the National Accreditation Bodies (NAB). Only if the CAB demonstrates their compliance to the normative requirements (see above) they receive their accreditation and/or can keep it upright. The decision on the qualifications of an auditor is not done by ACAB’c but the NAB which regularly checks the capabilities of the audit against the requirements of EN 319 403. All that ACAB’c does is simplify the representation of accreditation by bringing together information from the accreditation bodies. The full check can always be made to confirm the information provided by ACAB’c. Standardisation for Trust Services (CA) under the European Scheme is typically performed by the organizations ETSI or CEN or ISO/IEC. The ACAB council is not a standardization organization. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
On 6/24/20 8:48 PM, Ryan Sleevi wrote: On Wed, Jun 24, 2020 at 3:08 PM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: I have updated the following section of the wiki page to incorporate feedback that I received from representatives of ACAB'c. https://wiki.mozilla.org/CA/Audit_Statements#Verifying_ETSI_Auditor_Qualifications I will greatly appreciate it if those of you familiar with ETSI audits will review it and provide feedback. I would suggest that, for the time being, ACAB’c isn’t a shortcut. I realize that means more work for Mozilla, and broadly for the industry, but it might provide an opportunity for ACAB’c to focus on whether the goal is to support eIDAS audit schemes and accreditation, or whether it is to provide browsers equivalent confidence and focused collaboration in the way the WebTrust TF had engaged in. That isn’t to suggest the auditors might not also provide eIDAS audits, but it seems a real missed opportunity for auditors to more proactively engage and ensure needs like Mozilla’s are met. I have added the following sentence to the top of the Simplified Check section: IMPORTANT: At this time, this check may only be used as a preliminary check, and the Standard Check must also be completed. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
On Wed, Jun 24, 2020 at 3:08 PM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I have updated the following section of the wiki page to incorporate > feedback that I received from representatives of ACAB'c. > > > https://wiki.mozilla.org/CA/Audit_Statements#Verifying_ETSI_Auditor_Qualifications > > I will greatly appreciate it if those of you familiar with ETSI audits > will review it and provide feedback. While browsers have certainly discussed requiring ACAB’c membership, and rejecting audits from CAs that are not members, I haven’t seen much transparency yet from ACAB’c about how they supervise and/or review audits in the same way WebTrust does. It also runs a risk with respect to trusting a third-party organization to validate the qualifications. I could totally understand and agree that if ACAB’c membership was mandatory, because of some clear value to browsers such as Mozilla, this would make sense, but right now it seems like it may be premature? For example, as noted by ACAB’c itself, accreditation is with respect to ISO 17065 and eIDAS Art3.18, but that provides zero guarantees with respect to certificates, the BRs, or to the ETSI EN 319 403 provisions. For example, if a notified scheme under eIDAS made use or certificates in a way that is directly in conflict with Mozilla, those auditors could still be seen as skilled to assess Mozilla’s requirements. That seems... odd? I would suggest that, for the time being, ACAB’c isn’t a shortcut. I realize that means more work for Mozilla, and broadly for the industry, but it might provide an opportunity for ACAB’c to focus on whether the goal is to support eIDAS audit schemes and accreditation, or whether it is to provide browsers equivalent confidence and focused collaboration in the way the WebTrust TF had engaged in. That isn’t to suggest the auditors might not also provide eIDAS audits, but it seems a real missed opportunity for auditors to more proactively engage and ensure needs like Mozilla’s are met. I realize the template is a valuable step, but I don’t think ACAB’c membership alone is equivalent to the assurances browsers get from WebTrust licensure, and I worry that the “simple” step will encourage auditors that are not appropriately qualified for browser use cases. I know this means considerably more work for Mozilla, to disregard ACAB’c for the time being, and so I don’t want to seem dismissive of that. If anything, my hope is it might encourage more engagement by ACAB’c here, and a more careful evaluation of membership, criteria, and focus, such that the end state is we can skip the NAB/CAB validation and instead be confident that ACAB’c membership is a useful and positive signal of auditor qualification. I just don’t know that we’re there yet, and I worry ACAB’c might be just a little too eager, and a little too generalized, right now :) > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
I have updated the following section of the wiki page to incorporate feedback that I received from representatives of ACAB'c. https://wiki.mozilla.org/CA/Audit_Statements#Verifying_ETSI_Auditor_Qualifications I will greatly appreciate it if those of you familiar with ETSI audits will review it and provide feedback. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Verifying Auditor Qualifications
On 6/4/20 1:25 AM, Arvid Vermote wrote: Hi Kathleen Related to the below it would be helpful if the WebTrust organization would disclose additional details on the licensed WebTrust practitioners: right now there is no data publicly available on historical WebTrust auditor licensing. We don't know as of when an auditor has been licensed and as far as I am aware there is no overview of auditors that did not renew, withdrew or had their license revoked. Having such a list would certainly help CAs in the auditor selection process and better monitoring of auditor qualifications. The Dutch NAB has an excellent inventory of their suspensions and withdrawals of accreditations: https://www.rva.nl/en/accredited-organisations/suspended-withdrawals. We think everyone would benefit from the WebTrust task force / CPA Canada maintaining a similar public inventory. Thanks Arvid Hi Arvid, Your message has been forwarded to WebTrust and CPA Canada folks. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Verifying Auditor Qualifications
Hi Kathleen Related to the below it would be helpful if the WebTrust organization would disclose additional details on the licensed WebTrust practitioners: right now there is no data publicly available on historical WebTrust auditor licensing. We don't know as of when an auditor has been licensed and as far as I am aware there is no overview of auditors that did not renew, withdrew or had their license revoked. Having such a list would certainly help CAs in the auditor selection process and better monitoring of auditor qualifications. The Dutch NAB has an excellent inventory of their suspensions and withdrawals of accreditations: https://www.rva.nl/en/accredited-organisations/suspended-withdrawals. We think everyone would benefit from the WebTrust task force / CPA Canada maintaining a similar public inventory. Thanks Arvid > -Original Message- > From: dev-security-policy On > Behalf Of Kathleen Wilson via dev-security-policy > Sent: donderdag 4 juni 2020 1:21 > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Verifying Auditor Qualifications > > All, > > It recently came to my attention that I need to be more diligent in verifying > auditor > qualifications. Therefore, we have added a field in the CCADB called “Date > Qualifications Verified” (on Auditor Location objects), which will be used to > remind > root store operators to check each auditor’s qualifications every year. This > field > can only be edited by a root store operator, and we will enter this date > whenever > we confirm that the auditor is still qualified to perform ETSI or WebTrust > audits. > > Some of you may notice that your Audit Case or Root Inclusion Case has the > message: “Auditor Verification Date is blank”. This warning message is > intended > to remind root store operators that we need to verify the auditor's > qualifications. In > the future you may also notice a warning message when the date in that field > is > over a year old, reminding us root store operators to re-verify the auditor's > qualifications. > > I will greatly appreciate your input on the following new wiki page section, > especially in regards to verifying auditor qualifications. > > https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications > > Thanks, > Kathleen > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Verifying Auditor Qualifications
All, It recently came to my attention that I need to be more diligent in verifying auditor qualifications. Therefore, we have added a field in the CCADB called “Date Qualifications Verified” (on Auditor Location objects), which will be used to remind root store operators to check each auditor’s qualifications every year. This field can only be edited by a root store operator, and we will enter this date whenever we confirm that the auditor is still qualified to perform ETSI or WebTrust audits. Some of you may notice that your Audit Case or Root Inclusion Case has the message: “Auditor Verification Date is blank”. This warning message is intended to remind root store operators that we need to verify the auditor's qualifications. In the future you may also notice a warning message when the date in that field is over a year old, reminding us root store operators to re-verify the auditor's qualifications. I will greatly appreciate your input on the following new wiki page section, especially in regards to verifying auditor qualifications. https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy