Dear Kathleen, As you accurately pointed out, Accredia's Regulations (Circular No.8/2017 and the updated No.5/2020) enforces the use of ETSI EN 319 403 and the related ETSI EN 319 4xx standards by all its accredited CABs since the beginning of this accreditation. The accreditation regulation is normative document for all CABs accredited by the NAB. In fact, in the case of Accredia, it has several additional requirements which go significantly beyond the requirements imposed by ETSI standards and the eIDAS Regulation (the latter applies for EU Qualified Certificates).
I can assure that QMSCERT has been evaluated according to this, and even though I cannot speak on behalf of Accredia, I am certain this applies to all CABs accredited by Accredia. As per your observation about the lack of an explicit reference, we were also intrigued by this issue at the end of June, so we had already reached out to Accredia on July 3rd, 2020 (exactly for the same reason/question). One would expect that they would put that in the accreditation documents or references, but for some yet unknown reason they don't. If you feel that this is necessary, we can reach out to them again and provide feedback as soon as we get it. Best regards, Nikolaos Soumelidis -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Kathleen Wilson via dev-security-policy Sent: Wednesday, August 26, 2020 9:55 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Verifying Auditor Qualifications On 6/3/20 4:20 PM, Kathleen Wilson wrote: > It recently came to my attention that I need to be more diligent in > verifying auditor qualifications. > <snip> > https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications All, While re-verifying auditor qualifications I have run into the following situation, that I will appreciate your opinions on. https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check >> Check 1: The NAB is listed as “full member” under https://european-accreditation.org/ea-members/directory-of-ea-members-and-mla-signatories/ The NAB, Accredia (https://www.accredia.it/) is listed as a "Full Member". >> Check 2: The accreditation documentation was issued by that NAB and is hosted on the NAB's website The accreditation documentation on the NAB's website for a few CABs: QMSCERT: http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=3761 Bureau Veritas Italia: http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0663 CSQA: http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0010 >> Check 3: The CABs accreditation documentation explicitly refers to all of the following: <ETSI EN 319 403, ETSI EN 319 401, ETSI EN 319 411-1, and ETSI EN 319 411-2> This is where I'm running into difficulty. The NAB's accreditation documentation does not explicitly state that the CAB is certified to audit against those ETSI EN standards. For each of the CABs listed above, an Allegato (for UNI CEI EN/ISO/IEC 17065:2012) can be downloaded that says: "TSP (Trust Service Provider) and the services they offer compared with (EU Regulation) 910/2014 and / or specific provisions adopted by the national authorities for the services covered by the Accreditation Scheme." Which apparently refers to the the following documents that list the ETSI EN standards: Italian: https://www.accredia.it/app/uploads/2020/03/Circolare_tecnica_DC_05-2020.pdf English: https://www.accredia.it/app/uploads/2017/03/7015_DC2017SSV046eng.pdf https://www.accredia.it/documento/circolare-dc-n-82017-informativa-in-merito-allaccreditamento-degli-organismi-di-certificazione-operanti-a-fronte-dei-requisiti-del-regolamento-ue-2014_910-eidas-e-della-norma-etsi-en-319_4/ Is that sufficient evidence that the CAB is certified by the NAB to audit according to the ETSI EN 319 403, ETSI EN 319 401, ETSI EN 319 411-1, and ETSI EN 319 411-2 standards? Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
