All, on behalf of the Accredited Conformity Assessment Bodies council we would like to provide the following background information to the guideline “Verifying ETSI Auditor Qualification” as stated here: https://wiki.mozilla.org/CA/Audit_Statements#Verifying_ETSI_Auditor_Qualifications
The guideline explains the path for a formal verification of the ETSI/eIDAS Auditor’s qualification through verification of corresponding evidence. The ACAB council is capable and happy to support this process in the following way: o every CAB member of the council must be accredited according IEC/ISO 17065 in conjunction with eIDAS Art. 3.18 and ETSI EN 319 403 or ETSI EN 319 403-1 respectively. During the membership application and verification process for the ACAB council, the applicant has to provide corresponding evidence which are carefully checked. o ACAB’c members must incorporate and follow ETSI EN 319 403 for ETSI audits. Especially for publicly trusted certificates, Part 2 of EN 319403 must be followed which covers all additional requirements for Conformity Assessment Bodies auditing Trust Service Providers that issue Publicly-Trusted Certificates. In simple words, this means that it is mandatory for the relevant Browser requirements incorporated by ETSI, to be followed by an accredited CAB member of ACAB’c. All this is considered and explicitly stated for the “Simplified check” under 1. in the guideline: member CABs were checked following the “Standard Check” which includes the ETSI EN 319 403 (…403-1/-2) referrer in the accreditation documentation. The standard check is performed by ACAB’c as described in the guideline and we certainly want to support the community to rely on that. Hence, all CAB members of ACAB’C comply with the accreditation requirements stated above. The task to verify that a conformity assessment body fulfils all normative requirements, has necessary competences, etc. is performed by the National Accreditation Bodies (NAB). Only if the CAB demonstrates their compliance to the normative requirements (see above) they receive their accreditation and/or can keep it upright. The decision on the qualifications of an auditor is not done by ACAB’c but the NAB which regularly checks the capabilities of the audit against the requirements of EN 319 403. All that ACAB’c does is simplify the representation of accreditation by bringing together information from the accreditation bodies. The full check can always be made to confirm the information provided by ACAB’c. Standardisation for Trust Services (CA) under the European Scheme is typically performed by the organizations ETSI or CEN or ISO/IEC. The ACAB council is not a standardization organization. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
