In a draft template for audit attestations, provided by the ACAB'c, the template would provide a URL to the NAB's certification of the CAB with a statement that the NAB had certified the CAB to perform "certification of trust services according to 'EN ISO/IEC 17065:2012' and 'ETSI EN 319 403 V2.2.2 (2015-08)' " but with a note that the CAB could update the template based on actual certifications received from the NAB. This raises the question of whether NABs typically include ETSI EN 319 401, ETSI EN 319 411-1 and ETSI EN 319 411-2 in such CAB certification records. If not, maybe references to EN ISO/IEC 17065:2012 and ETSI EN 319 403 V2.2.2 (2015-08) would then need to be sufficient. That is something that would be good to know.
Thanks, Kathleen On Wed, Aug 26, 2020 at 12:54 PM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 6/3/20 4:20 PM, Kathleen Wilson wrote: > > It recently came to my attention that I need to be more diligent in > > verifying auditor qualifications. > > <snip> > > https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications > > All, > > While re-verifying auditor qualifications I have run into the following > situation, that I will appreciate your opinions on. > > > https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check > > >> Check 1: The NAB is listed as “full member” under > > https://european-accreditation.org/ea-members/directory-of-ea-members-and-mla-signatories/ > > The NAB, Accredia (https://www.accredia.it/) is listed as a "Full Member". > > > >> Check 2: The accreditation documentation was issued by that NAB and > is hosted on the NAB's website > > The accreditation documentation on the NAB's website for a few CABs: > > QMSCERT: > > http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=3761 > > Bureau Veritas Italia: > > http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0663 > > CSQA: > > http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0010 > > > >> Check 3: The CABs accreditation documentation explicitly refers to > all of the following: <ETSI EN 319 403, ETSI EN 319 401, ETSI EN 319 > 411-1, and ETSI EN 319 411-2> > > This is where I'm running into difficulty. The NAB's accreditation > documentation does not explicitly state that the CAB is certified to > audit against those ETSI EN standards. > > For each of the CABs listed above, an Allegato (for UNI CEI EN/ISO/IEC > 17065:2012) can be downloaded that says: "TSP (Trust Service Provider) > and the services they offer compared with (EU Regulation) 910/2014 and / > or specific provisions adopted by the national authorities for the > services covered by the Accreditation Scheme." > > Which apparently refers to the the following documents that list the > ETSI EN standards: > Italian: > > https://www.accredia.it/app/uploads/2020/03/Circolare_tecnica_DC_05-2020.pdf > English: > https://www.accredia.it/app/uploads/2017/03/7015_DC2017SSV046eng.pdf > > https://www.accredia.it/documento/circolare-dc-n-82017-informativa-in-merito-allaccreditamento-degli-organismi-di-certificazione-operanti-a-fronte-dei-requisiti-del-regolamento-ue-2014_910-eidas-e-della-norma-etsi-en-319_4/ > > > Is that sufficient evidence that the CAB is certified by the NAB to > audit according to the ETSI EN 319 403, ETSI EN 319 401, ETSI EN 319 > 411-1, and ETSI EN 319 411-2 standards? > > Thanks, > Kathleen > > > > > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
