Dear all, on behalf of ACAB’c we like to comment on that as follows: We would like to clarify the following normative points defined by the EA and by the ISO/IEC 17065/ETSI/eIDAS:
I. Accreditation of CAB: - The eIDAS/ETSI accredited CAB in Europe are in general all accredited according ISO/IEC 17065 in conjunction with ETSI EN 319 403. It is not possible to be purely accredited according to ETSI EN 319 403 as that is a supplementary standard refining the ISO/IEC 17065 especially for the conformity assessment of trust services. This is clearly indicated in the introduction of the ETSI EN 319 403. The CAB is accredited against ISO/IEC 17065. The ETSI EN 319 403 however is incorporated in the accreditation to address the specific requirements for assessment of trust services – even if it might not be explicitly listed in a accreditation certificate. - In general NAB can accredit organizations against the ISO norms as listed here: http://www.european-accreditation.org/what-is-accreditation#2 - The EA statement where ETSI EN 319 403 is defined as supporting norm for accreditation according ISO/IEC 17065 of CAB assessing TSP can be found here: http://www.european-accreditation.org/information/etsistandard-en-319-403-published-to-provide-requirements-for-conformity-assessmentbodies-assessing-trust-service-providers-tsps II. Assessment and certification statements: - ETSI requires the auditing of the past period as well as of the current operations status: o In chapter 7.9 of the ETSI EN 319 403, it is clearly stated that the operation records shall be audited (that will be detailed within a future updated version of ETSI EN 319 403. On top of that it is planned to make the ETSI TS 319 403-2 binding in order to have an even better definition what is required to be audits for the past period). - ETSI covers aspects of the future operations of the TSP as there are obligations for TSP to inform the CAB (according ETSI EN 319 403, chapter 7.10) in case of any planned changes of the operations before implementation is done and the supervisory body accordingly (see eIDAS Article 24, Para 2 a). - If the TSP is performing changes without informing the CAB, the CAB may withdraw the certificate according to chapter 7.11 of ISO/IEC 17065. Looking at the discussion in general we see that there is a lot of energy invested by the different players in the ecosystem. This results in threats and postings and answers to those and answers to the answers… That high attention in general is definitely to be judged positive. We need that! We however urgently like to advertise for a discussion leading to - balanced judgements (the world is NOT black and white!), - an improvement of processes (like incident detection and processing), - more security and assurance for all players in the ecosystem. Let’s keep in mind - please! - we are all pulling the same rope for more security more confidence and reliability. We should take extra care to pull in the same direction - all together - and invest our precious energy in improving the ecosystem rather than blaming each other with the high risk of damaging it. We - the ETSI and WebTrust auditors - will sit together in December in Berlin to take up that point for further improvements and as discussed in Shanghai we certainly should interface in a dedicated CA/B-Forum workinggroup to the browsers and the CAs. Best regards Clemens, ACAB'c _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy