On 6/3/20 4:20 PM, Kathleen Wilson wrote:
It recently came to my attention that I need to be more diligent in
verifying auditor qualifications.
<snip>
https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications
All,
While re-verifying auditor qualifications I have run into the following
situation, that I will appreciate your opinions on.
https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check
>> Check 1: The NAB is listed as “full member” under
https://european-accreditation.org/ea-members/directory-of-ea-members-and-mla-signatories/
The NAB, Accredia (https://www.accredia.it/) is listed as a "Full Member".
>> Check 2: The accreditation documentation was issued by that NAB and
is hosted on the NAB's website
The accreditation documentation on the NAB's website for a few CABs:
QMSCERT:
http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=3761
Bureau Veritas Italia:
http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0663
CSQA:
http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0010
>> Check 3: The CABs accreditation documentation explicitly refers to
all of the following: <ETSI EN 319 403, ETSI EN 319 401, ETSI EN 319
411-1, and ETSI EN 319 411-2>
This is where I'm running into difficulty. The NAB's accreditation
documentation does not explicitly state that the CAB is certified to
audit against those ETSI EN standards.
For each of the CABs listed above, an Allegato (for UNI CEI EN/ISO/IEC
17065:2012) can be downloaded that says: "TSP (Trust Service Provider)
and the services they offer compared with (EU Regulation) 910/2014 and /
or specific provisions adopted by the national authorities for the
services covered by the Accreditation Scheme."
Which apparently refers to the the following documents that list the
ETSI EN standards:
Italian:
https://www.accredia.it/app/uploads/2020/03/Circolare_tecnica_DC_05-2020.pdf
English:
https://www.accredia.it/app/uploads/2017/03/7015_DC2017SSV046eng.pdf
https://www.accredia.it/documento/circolare-dc-n-82017-informativa-in-merito-allaccreditamento-degli-organismi-di-certificazione-operanti-a-fronte-dei-requisiti-del-regolamento-ue-2014_910-eidas-e-della-norma-etsi-en-319_4/
Is that sufficient evidence that the CAB is certified by the NAB to
audit according to the ETSI EN 319 403, ETSI EN 319 401, ETSI EN 319
411-1, and ETSI EN 319 411-2 standards?
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy