On Mon, Sep 3, 2018 at 8:54 AM reinhard.dietrich--- via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> Dear all, > as already mentioned above, qualified auditors (nat person/organization) > have been selected which fulfil the points as listed in our previous > response. The auditors fulfilled these relevant requirements. Even the > organization of TÜV AUSTRIA CERT was accredited according to ISO 17065 by > that time –the only thing missing was the formal acknowledgement of the > Austrian Federal Ministry for Digital and Economy Affairs (BMDW) for > amending that accreditation by the ETSI ENs. > I think this is an incredibly important and meaningful distinction, for all CAs. It appears that, even today, September 4, there's no way to independently confirm or assess TUV AUSTRIA CERT's accreditation to ISO 17065 in any of the related or appropriate standards. If a WebTrust audit was presented by an auditor who was not licensed by WebTrust, or could not be independently assessed as such, it would absolutely be rejected - and CPA Canada/AICPA would likely pursue action through misuse of the term WebTrust. That ETSI lacks this is already problematic, but equally problematic is the lack of demonstration through the agreed-upon method of determining an auditor's competence to perform audits. The process that is recognized for the ETSI norms is to look through european-accreditation.org to determine the NAB, and from the NAB, determine the appropriate CABs. With respect to Section 8.2, I'm having trouble understanding how the information presented can meet the requirements of Item 2, 4, and 6. As my previous mail suggested, the ability to determine that, independently, has been lacking since April. Related to our own SwissSign audit which was required to be performed as > soon as possible, we decided to ask the browsers before the audit was > started, whether they would accept the audit performed by our auditors > under that circumstances described above. Based on the Mozilla Root Policy, > clause 3.2, para 2 Mozilla can decide to accept the auditor. On top we > considered that as the auditors are well known in the community and have > long term experience auditing several CA included in the Root Stores > according ETSI and BRG, therefore they should easily be accepted to perform > our audit. My understanding here is that your use of the term "auditors" refers to the individuals, not to the organization TUV Austria, is that correct? > We discussed that with Mozilla and Microsoft and both finally agreed to a > one time exception so that we decided to start the audit project. That > given exception included an agreement that the Audit Attestations will be > re-issued now, after the formal accreditation process is finalized – which > will happen during the next few weeks. All the Browsers will receive an > updated Audit Attestation then referring the amended accreditation > documentation. > On top of that and as already mentioned above, we will repeat all the > audits during the next weeks in order to start over and synchronize the > audit period for the complete PKI of SwissSign. At this time the expansion > of TÜV AUSTRIA CERTS accreditation according ISO 17065 and ETSI EN 319 403 > will certainly be visible. > As it stands, the information for TUV AUSTRIA CERTS still does not appear to meet the requirements of Section 8.2. I appreciate that the promise is that it's forthcoming, that it's BMDW's fault, that everything surely is in order, but you can surely see how from an objective and consistent application of policies, this fails to meet Section 8.2 even to this day. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
