On 10/31/17 2:57 PM, Dimitris Zacharopoulos wrote:
[NS]: If all ETSI reports delivered to Root Programs had clear
indication regarding the “audit period” and the type of the audit (i.e.
full), probably this discussion would not be raised at all?
Correct.
For example, in all our audits for other standards, no “audit period” is
clearly documented in the report; time since previous audit is always
implied.
Again, I don't believe that it is reasonable to assume that
auditing/sampling has been done over the full year.
[NS]: No assumptions are made. This is common practice and common
understanding.
Sigh. If it were so well understood then I would think CAs and auditors
would be providing better answers regarding whether their audits are
point-in-time or full audits, and what the audit period start and end
dates are.
I has truly been an uphill battle to get audit statements that have this
information, and (since so many of the ETSI audit statements do not have
this information) trying to get this information from the CAs and their
auditors regarding their current audit statements.
Then, perhaps the ETSI standards are not sufficient, and we should not
allow ETSI audits until the ETSI standard do become sufficient.
[NS]: This is true, but only if you isolate it from the rest of the text
below! But, ETSI standards (e.g. ETSI EN 319 411-1, section 2.1, points
4 and 5) include clear normative references to BR and EVG. Explicit
references are also included in many detailed requirements of the
standard. So, ETSI standards cannot be audited without BR (and EVG in
case of EV).
On top of that, Root Program requirements are also included in the scope
of the audit for all CAs which wish to participate in these programs.
Then I don't understand why so many of the ETSI audits that CAs are
sending to us are failing to meet our requirements about audit periods
and being full period-of-time audits.
I do agree that the CAs should be ensuring that their auditors are
performing audits that meet the BRs, and the CAs should be ensuring
that their auditors provide audit statements that meet our
requirements, which have been communicated via CA Communications and
Mozilla's root store policy.
I do not agree that the CAB Forum and the Root Store Operators are
supposed to contact all of the ETSI auditors to communicate our
requirements.
On the other hand, I think that whomever is in charge of ETSI should
care enough to reach out to the CAB Forum and the major Root Store
Operators to ensure that the ETSI criteria is sufficient, and that
there is appropriate templates for their auditors to use, to ensure
proper audits and audit statements.
WebTrust folks have been doing things for years now.
[NS]: Makes sense.
or through the TSPs which participate in Root Programs. Even better,
disclose its recommended “ETSI audit report template”, common across all
Root Programs.
Shouldn't an ETSI person be doing this, with input from the CAB Forum
and major root store operators?
Mozilla's requirements are already listed here:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#audit-parameters
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#public-audit-information
What further information do auditors need from us, before they will
start performing the required audits and providing the required audit
statement content?
Sorry if I'm being slow here, but how do we get the ETSI audits and
audit statements fixed ASAP?
I have already expressed my expectations in previous CA Communications,
and our requirements are listed in Mozilla's Root Store Policy.
I do *not* believe that it is my responsibility to fix these ETSI audit
problems. I *do* believe it is my responsibility to stop accepting ETSI
audits if the problems are not fixed ASAP.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
