Verifying Auditor Qualifications

1219 views
Skip to first unread message

Kathleen Wilson

unread,
Jun 3, 2020, 7:20:48 PM6/3/20
to mozilla-dev-s...@lists.mozilla.org
All,

It recently came to my attention that I need to be more diligent in
verifying auditor qualifications. Therefore, we have added a field in
the CCADB called “Date Qualifications Verified” (on Auditor Location
objects), which will be used to remind root store operators to check
each auditor’s qualifications every year. This field can only be edited
by a root store operator, and we will enter this date whenever we
confirm that the auditor is still qualified to perform ETSI or WebTrust
audits.

Some of you may notice that your Audit Case or Root Inclusion Case has
the message: “Auditor Verification Date is blank”. This warning message
is intended to remind root store operators that we need to verify the
auditor's qualifications. In the future you may also notice a warning
message when the date in that field is over a year old, reminding us
root store operators to re-verify the auditor's qualifications.

I will greatly appreciate your input on the following new wiki page
section, especially in regards to verifying auditor qualifications.

https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications

Thanks,
Kathleen

Arvid Vermote

unread,
Jun 4, 2020, 4:25:36 AM6/4/20
to Kathleen Wilson, mozilla-dev-s...@lists.mozilla.org, jw...@bdo.com
Hi Kathleen

Related to the below it would be helpful if the WebTrust organization would disclose additional details on the licensed WebTrust practitioners: right now there is no data publicly available on historical WebTrust auditor licensing. We don't know as of when an auditor has been licensed and as far as I am aware there is no overview of auditors that did not renew, withdrew or had their license revoked. Having such a list would certainly help CAs in the auditor selection process and better monitoring of auditor qualifications.

The Dutch NAB has an excellent inventory of their suspensions and withdrawals of accreditations: https://www.rva.nl/en/accredited-organisations/suspended-withdrawals. We think everyone would benefit from the WebTrust task force / CPA Canada maintaining a similar public inventory.

Thanks

Arvid
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

Kathleen Wilson

unread,
Jun 4, 2020, 4:03:17 PM6/4/20
to mozilla-dev-s...@lists.mozilla.org
On 6/4/20 1:25 AM, Arvid Vermote wrote:
> Hi Kathleen
>
> Related to the below it would be helpful if the WebTrust organization would disclose additional details on the licensed WebTrust practitioners: right now there is no data publicly available on historical WebTrust auditor licensing. We don't know as of when an auditor has been licensed and as far as I am aware there is no overview of auditors that did not renew, withdrew or had their license revoked. Having such a list would certainly help CAs in the auditor selection process and better monitoring of auditor qualifications.
>
> The Dutch NAB has an excellent inventory of their suspensions and withdrawals of accreditations: https://www.rva.nl/en/accredited-organisations/suspended-withdrawals. We think everyone would benefit from the WebTrust task force / CPA Canada maintaining a similar public inventory.
>
> Thanks
>
> Arvid
>

Hi Arvid,

Your message has been forwarded to WebTrust and CPA Canada folks.

Thanks,
Kathleen

Kathleen Wilson

unread,
Jun 24, 2020, 3:08:59 PM6/24/20
to mozilla-dev-s...@lists.mozilla.org
I have updated the following section of the wiki page to incorporate
feedback that I received from representatives of ACAB'c.

https://wiki.mozilla.org/CA/Audit_Statements#Verifying_ETSI_Auditor_Qualifications

I will greatly appreciate it if those of you familiar with ETSI audits
will review it and provide feedback.

Thanks,
Kathleen

Ryan Sleevi

unread,
Jun 24, 2020, 11:49:02 PM6/24/20
to Kathleen Wilson, mozilla-dev-s...@lists.mozilla.org
While browsers have certainly discussed requiring ACAB’c membership, and
rejecting audits from CAs that are not members, I haven’t seen much
transparency yet from ACAB’c about how they supervise and/or review audits
in the same way WebTrust does.

It also runs a risk with respect to trusting a third-party organization to
validate the qualifications. I could totally understand and agree that if
ACAB’c membership was mandatory, because of some clear value to browsers
such as Mozilla, this would make sense, but right now it seems like it may
be premature?

For example, as noted by ACAB’c itself, accreditation is with respect to
ISO 17065 and eIDAS Art3.18, but that provides zero guarantees with respect
to certificates, the BRs, or to the ETSI EN 319 403 provisions. For
example, if a notified scheme under eIDAS made use or certificates in a way
that is directly in conflict with Mozilla, those auditors could still be
seen as skilled to assess Mozilla’s requirements. That seems... odd?

I would suggest that, for the time being, ACAB’c isn’t a shortcut. I
realize that means more work for Mozilla, and broadly for the industry, but
it might provide an opportunity for ACAB’c to focus on whether the goal is
to support eIDAS audit schemes and accreditation, or whether it is to
provide browsers equivalent confidence and focused collaboration in the way
the WebTrust TF had engaged in. That isn’t to suggest the auditors might
not also provide eIDAS audits, but it seems a real missed opportunity for
auditors to more proactively engage and ensure needs like Mozilla’s are met.

I realize the template is a valuable step, but I don’t think ACAB’c
membership alone is equivalent to the assurances browsers get from WebTrust
licensure, and I worry that the “simple” step will encourage auditors that
are not appropriately qualified for browser use cases.

I know this means considerably more work for Mozilla, to disregard ACAB’c
for the time being, and so I don’t want to seem dismissive of that. If
anything, my hope is it might encourage more engagement by ACAB’c here, and
a more careful evaluation of membership, criteria, and focus, such that the
end state is we can skip the NAB/CAB validation and instead be confident
that ACAB’c membership is a useful and positive signal of auditor
qualification. I just don’t know that we’re there yet, and I worry ACAB’c
might be just a little too eager, and a little too generalized, right now :)

>

Kathleen Wilson

unread,
Jun 25, 2020, 12:36:02 PM6/25/20
to mozilla-dev-s...@lists.mozilla.org
On 6/24/20 8:48 PM, Ryan Sleevi wrote:
> On Wed, Jun 24, 2020 at 3:08 PM Kathleen Wilson via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
>
>> I have updated the following section of the wiki page to incorporate
>> feedback that I received from representatives of ACAB'c.
>>
>>
>> https://wiki.mozilla.org/CA/Audit_Statements#Verifying_ETSI_Auditor_Qualifications
>>
>> I will greatly appreciate it if those of you familiar with ETSI audits
>> will review it and provide feedback.
>
> <snip>
> I would suggest that, for the time being, ACAB’c isn’t a shortcut. I
> realize that means more work for Mozilla, and broadly for the industry, but
> it might provide an opportunity for ACAB’c to focus on whether the goal is
> to support eIDAS audit schemes and accreditation, or whether it is to
> provide browsers equivalent confidence and focused collaboration in the way
> the WebTrust TF had engaged in. That isn’t to suggest the auditors might
> not also provide eIDAS audits, but it seems a real missed opportunity for
> auditors to more proactively engage and ensure needs like Mozilla’s are met.

I have added the following sentence to the top of the Simplified Check
section:
IMPORTANT: At this time, this check may only be used as a preliminary
check, and the Standard Check must also be completed.

Thanks,
Kathleen

clemen...@tuv-austria.com

unread,
Jul 3, 2020, 6:14:01 AM7/3/20
to mozilla-dev-s...@lists.mozilla.org
All,
on behalf of the Accredited Conformity Assessment Bodies council we would like to provide the following background information to the guideline “Verifying ETSI Auditor Qualification” as stated here:
https://wiki.mozilla.org/CA/Audit_Statements#Verifying_ETSI_Auditor_Qualifications

The guideline explains the path for a formal verification of the ETSI/eIDAS Auditor’s qualification through verification of corresponding evidence.
The ACAB council is capable and happy to support this process in the following way:

o every CAB member of the council must be accredited according IEC/ISO 17065 in conjunction with eIDAS Art. 3.18 and ETSI EN 319 403 or ETSI EN 319 403-1 respectively. During the membership application and verification process for the ACAB council, the applicant has to provide corresponding evidence which are carefully checked.

o ACAB’c members must incorporate and follow ETSI EN 319 403 for ETSI audits. Especially for publicly trusted certificates, Part 2 of EN 319403 must be followed which covers all additional requirements for Conformity Assessment Bodies auditing Trust Service Providers that issue Publicly-Trusted Certificates. In simple words, this means that it is mandatory for the relevant Browser requirements incorporated by ETSI, to be followed by an accredited CAB member of ACAB’c.

All this is considered and explicitly stated for the “Simplified check” under 1. in the guideline: member CABs were checked following the “Standard Check” which includes the ETSI EN 319 403 (…403-1/-2) referrer in the accreditation documentation. The standard check is performed by ACAB’c as described in the guideline and we certainly want to support the community to rely on that. Hence, all CAB members of ACAB’C comply with the accreditation requirements stated above.

The task to verify that a conformity assessment body fulfils all normative requirements, has necessary competences, etc. is performed by the National Accreditation Bodies (NAB). Only if the CAB demonstrates their compliance to the normative requirements (see above) they receive their accreditation and/or can keep it upright. The decision on the qualifications of an auditor is not done by ACAB’c but the NAB which regularly checks the capabilities of the audit against the requirements of EN 319 403. All that ACAB’c does is simplify the representation of accreditation by bringing together information from the accreditation bodies. The full check can always be made to confirm the information provided by ACAB’c.

Standardisation for Trust Services (CA) under the European Scheme is typically performed by the organizations ETSI or CEN or ISO/IEC. The ACAB council is not a standardization organization.

Ryan Sleevi

unread,
Jul 3, 2020, 7:48:23 AM7/3/20
to clemen...@tuv-austria.com, mozilla-dev-s...@lists.mozilla.org
On Fri, Jul 3, 2020 at 6:14 AM clemens.wanko--- via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> All,
> on behalf of the Accredited Conformity Assessment Bodies council we would
> like to provide the following background information to the guideline
> “Verifying ETSI Auditor Qualification” as stated here:
>
> https://wiki.mozilla.org/CA/Audit_Statements#Verifying_ETSI_Auditor_Qualifications
>
> The guideline explains the path for a formal verification of the
> ETSI/eIDAS Auditor’s qualification through verification of corresponding
> evidence.
> The ACAB council is capable and happy to support this process in the
> following way:
>
> o every CAB member of the council must be accredited according IEC/ISO
> 17065 in conjunction with eIDAS Art. 3.18 and ETSI EN 319 403 or ETSI EN
> 319 403-1 respectively. During the membership application and verification
> process for the ACAB council, the applicant has to provide corresponding
> evidence which are carefully checked.


This is not what your charter says, nor what your website says.

https://www.acab-c.com/app/download/5811554709/ACABc+Charter_V3.pdf

https://www.acab-c.com/acab-c-members/

o ACAB’c members must incorporate and follow ETSI EN 319 403 for ETSI
> audits. Especially for publicly trusted certificates, Part 2 of EN 319403
> must be followed which covers all additional requirements for Conformity
> Assessment Bodies auditing Trust Service Providers that issue
> Publicly-Trusted Certificates. In simple words, this means that it is
> mandatory for the relevant Browser requirements incorporated by ETSI, to be
> followed by an accredited CAB member of ACAB’c.


This is not what your charter says.

All this is considered and explicitly stated for the “Simplified check”
> under 1. in the guideline: member CABs were checked following the “Standard
> Check” which includes the ETSI EN 319 403 (…403-1/-2) referrer in the
> accreditation documentation. The standard check is performed by ACAB’c as
> described in the guideline and we certainly want to support the community
> to rely on that. Hence, all CAB members of ACAB’C comply with the
> accreditation requirements stated above.


Where is the public evidence that this is true.

I’m not disputing that this could be, and probably is, true. But there’s
zero actual evidence for this that I can see, beyond your assurances here.
And this is part of my abiding concern with the ETSI approach to audits,
because we get grand assurances but when we actually look for them, they
aren’t there. If we’re going to rely on ACAB’c, we need strong evidence of
the claims here, not a well-intentioned post from an ACAB’c member.

The task to verify that a conformity assessment body fulfils all normative
> requirements, has necessary competences, etc. is performed by the National
> Accreditation Bodies (NAB). Only if the CAB demonstrates their compliance
> to the normative requirements (see above) they receive their accreditation
> and/or can keep it upright.


And time and time again, we’ve said that the NAB is *not* ensuring these
requirements, because they aren’t as you described. The NAB ensures the
requirements with respect to the notified scheme. Even if the CAB
assessment is based on the ETSI assessment criteria for CABs, that still
doesn’t provide any guarantee the CAB is using a scheme for assessing TSPs
that is based on the ETSI criteria.

The decision on the qualifications of an auditor is not done by ACAB’c but
> the NAB which regularly checks the capabilities of the audit against the
> requirements of EN 319 403.


Citation Needed.

But also, as I said above, 403 isn’t the relevant portion here.

All that ACAB’c does is simplify the representation of accreditation by
> bringing together information from the accreditation bodies. The full check
> can always be made to confirm the information provided by ACAB’c.
>
> Standardisation for Trust Services (CA) under the European Scheme is
> typically performed by the organizations ETSI or CEN or ISO/IEC. The ACAB
> council is not a standardization organization.


Yes, we know. I don’t understand why this was even included. It fits with
my broader complaint against the ETSI ESI liaisons in the CABF: that every
CABF, we get a recital of what ETSI is and isn’t and how NABs and CABs
work, while the needs of the actual consumers go unmet and unaddressed.

Look, as I said to Kathleen, I’m not unoppposed in spirit. But the
statements you’ve made about what ACAB’c is, or what assurances it
provides, are not backed up by what ACAB’c says and documents on its
website. If the ACAB’c agrees that you’ve accurately represented things, it
should be trivial to document these things within your charter.
Unfortunately, for the many encouraging promises browsers have received
from ACAB’c, there’s a worrying lack of substance or independent
verification.

The only statement supporting what you’ve claimed is as a footnote at
https://www.acab-c.com that does not have support within the charter or the
CoC itself. And that’s why I suggested we not rely on the Simplified way
that ACAB’c proposed, because there’s nothing to support the claims, or
that they’re enforced. Similarly, as with most trust, I think we need to
carefully verify still; even if ACAB’c put it on a webpage, as browsers, we
have no proof that ACAB’c follows that process, and we’d be accepting all
the risk. Trust is something that is built over time, through repeated
ongoing demonstration and commitment. While I hope we can build that with
ACAB’c, in due time, these sorts of elementary issues doesn’t inspire hope
like I wish it would.

clemen...@tuv-austria.com

unread,
Jul 13, 2020, 4:42:04 AM7/13/20
to mozilla-dev-s...@lists.mozilla.org
Hi Ryan,
thanks for your post. And certainly yes: it’s our first goal to serve the needs of our actual consumers. The browsers belong to those in the front row. We are aware of that as we are aware that there is space for improvement for the council.

With regard to your statement to our webpage and the EN 319403 in our documented rules, we are updating that, to be fully clear on entry conditions for our accredited CAB as well as for the requirements an guidelines we follow throughout our audit work. But just to be clear on that: all ACAB’c members were and will be checked to be accredited according ETSI EN 319403 as well.

What I like to encourage the browsers to do is, to keep on staying in touch with us and share your demands, concerns and ideas with us. We shall be more than happy to discuss those with you in order to strengthen the trust as you are saying it. Please feel free to use me personally as entry point in the meanwhile as we at ACAB’c are about to migrate our technical infrastructure to a new platform which may cause additional delays otherwise. I will share the communication we are having amongst the member CABs and come up with a response.

All the best
Clemens @ the ACAB council

Nicholas Knight

unread,
Jul 13, 2020, 9:30:41 AM7/13/20
to mozilla-dev-s...@lists.mozilla.org
It seems exceptionally strange to me that what, from all appearances, is a 4 year old advocacy body for auditors could be considered an authoritative source. ACAB’c does not seem to have done anything at all to acquire the extremely high level of credibility such a source needs.

The idea that an association of auditors can’t keep its website and charter up to date does nothing to dispel doubt, and is in fact evidence that ACAB’c is not capable of its claimed functions.

I see no browsers or anyone else can rely on ACAB’c, or should. It was not formed for that purpose and there is no evidence it even understands that purpose. I suggest that if they intend to perform this function, it is necessary to start over with a new organization with a new charter and new leadership.

Arvid Vermote

unread,
Jul 20, 2020, 10:27:10 AM7/20/20
to Nicholas Knight, mozilla-dev-s...@lists.mozilla.org
ACAB'c is a group of a few eIDAS CABs working together for reasons, they do not represent all eIDAS CABs neither do they have any recognized or official function within the eIDAS ecosystem.

Can the ACAB'c member list be relied upon as being accurate and providing correct and latest information on the accreditation status of member CABs? It’s a manual list maintained based on membership applications and their acceptance. Isn't the only current accurate source of accredited eIDAS CAB the 20+ governmental NABs of participating EU countries that are designated to accredit and supervise eIDAS CAB?

Without any visible added value or clear and transparent insights on what supervisory function they perform within the context of the WebPKI ecosystem (filtering which eIDAS CAB and reports are acceptable/qualitiative?), why would a specific subset of eIDAS CAB be promoted over other eIDAS CAB? Parties that are interested in becoming a WebPKI CA or maintaining that status often go look at root program requirements as a first source to understand what needs to be done, including what audit attestations that need to be obtained and which parties can provide these.

I have difficulties understanding what current reason there is to refer to the ACAB'c and why the "simplified check" seems to suggest only ACAB'c member audit reports are accepted.

> -----Original Message-----
> From: dev-security-policy <dev-security-...@lists.mozilla.org> On

Ryan Sleevi

unread,
Jul 20, 2020, 11:48:39 AM7/20/20
to Arvid Vermote, Nicholas Knight, mozilla-dev-s...@lists.mozilla.org
On Mon, Jul 20, 2020 at 10:27 AM Arvid Vermote via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> ACAB'c is a group of a few eIDAS CABs working together for reasons, they
> do not represent all eIDAS CABs neither do they have any recognized or
> official function within the eIDAS ecosystem.


> Can the ACAB'c member list be relied upon as being accurate and providing
> correct and latest information on the accreditation status of member CABs?
> It’s a manual list maintained based on membership applications and their
> acceptance. Isn't the only current accurate source of accredited eIDAS CAB
> the 20+ governmental NABs of participating EU countries that are designated
> to accredit and supervise eIDAS CAB?
>
> Without any visible added value or clear and transparent insights on what
> supervisory function they perform within the context of the WebPKI
> ecosystem (filtering which eIDAS CAB and reports are
> acceptable/qualitiative?), why would a specific subset of eIDAS CAB be
> promoted over other eIDAS CAB? Parties that are interested in becoming a
> WebPKI CA or maintaining that status often go look at root program
> requirements as a first source to understand what needs to be done,
> including what audit attestations that need to be obtained and which
> parties can provide these.
>
> I have difficulties understanding what current reason there is to refer to
> the ACAB'c and why the "simplified check" seems to suggest only ACAB'c
> member audit reports are accepted.


So, I think you make some great points, but I also think this highlights
some confusion that might be worth addressing.

Why would their role within the eIDAS ecosystem have any bearing? We know
that the eIDAS ecosystem is an alternative trust framework for solving a
different set of problems than browsers are trying to solve. Which is
totally OK, but like... it's a bit like saying "The ACAB'c doesn't have a
recognized or official function within the Adobe Document Signing Trust
Framework" and... so?

I think it's reasonable to imagine that if ACAB'c were to provide a similar
model as WebTrust, there might be value in deferring to them *instead of*
the eIDAS ecosystem. I do believe it's entirely a mistake to defer to the
eIDAS ecosystem at all, presently, for the same reason I think it'd be a
mistake to defer to, say, the banking industry's use of ISO 21188 or the
ASC X.9 work. They're separate PKIs with separate goals, and it's totally
OK for eIDAS to do their thing. If ACAB'c were, as you suggest, to provide
filtering of reports, provide normative guidance and enforcement in the
same way that, say, AICPA or CPA Canada provide with respect to their
practitioner standards, and similarly provide a level of assurance similar
to WebTrust licensure, it could make sense.

But I think your criticisms here of ACAB'c are equally criticisms that
could be lobbed at WebTrust, since it's "just" a brand by CPA Canada, and
in theory, "any" auditor participating under IFAC 'could' also provide
audits. That's no different than the discussion here.

However, I do think you're right, whether intentional or not, in pointing
out that the eIDAS ecosystem lacks many of the essential properties that a
_browser_ trust framework relies upon, and that's why I again suggest that
the degree to which ETSI-based audits are accepted should be strongly
curtailed, if not outright prevented. There are too many gaps in the
professional standards, both within ETSI and within the underlying ISO
standards that ETSI builds upon, to provide sufficient assurance. Pivoting
to browser-initiated and/or browser-contracted audits is perhaps the single
most impactful move that could be made with audits. Second to that is the
WebTrust TF's Detailed Control Reports, which I believe should be required
of all CAs.

I don't believe ETSI is even capable of producing a remotely comparable
equivalent. This is because ETSI is not a group of CABs with professional
expertise, but an otherwise 'neutral' (albeit pay-to-play) SDO. Browsers
notable lack of absence within ETSI (in part, due to the pay-for-play
nature) mean that it's unlikely ETSI will produce a standard that reflects
browsers needs, but even if browsers were to participate, it would be the
same amount of work as if they just produced such a document themselves
with the CABs. At least, in this regard, ACAB'c has a chance of success in
producing something comparable: by being CABs with a vested interest in
producing a service useful to and relied upon by browsers, they may choose
to engage with browsers and work to provide a useful audit and reporting
framework.

But, again, the eIDAS ecosystem largely has no bearing on this. Even the
accreditation, against the ETSI ESI standards used to fulfill the eIDAS
Regulation, doesn't really provide much assurance, as Supervisory Bodies
are currently seeing.

Kathleen Wilson

unread,
Aug 26, 2020, 2:54:47 PM8/26/20
to mozilla-dev-s...@lists.mozilla.org
On 6/3/20 4:20 PM, Kathleen Wilson wrote:
> It recently came to my attention that I need to be more diligent in
> verifying auditor qualifications.
> <snip>
> https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications

All,

While re-verifying auditor qualifications I have run into the following
situation, that I will appreciate your opinions on.


https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check

>> Check 1: The NAB is listed as “full member” under
https://european-accreditation.org/ea-members/directory-of-ea-members-and-mla-signatories/

The NAB, Accredia (https://www.accredia.it/) is listed as a "Full Member".


>> Check 2: The accreditation documentation was issued by that NAB and
is hosted on the NAB's website

The accreditation documentation on the NAB's website for a few CABs:

QMSCERT:
http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=3761

Bureau Veritas Italia:
http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0663

CSQA:
http://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=0010


>> Check 3: The CABs accreditation documentation explicitly refers to
all of the following: <ETSI EN 319 403, ETSI EN 319 401, ETSI EN 319
411-1, and ETSI EN 319 411-2>

This is where I'm running into difficulty. The NAB's accreditation
documentation does not explicitly state that the CAB is certified to
audit against those ETSI EN standards.

For each of the CABs listed above, an Allegato (for UNI CEI EN/ISO/IEC
17065:2012) can be downloaded that says: "TSP (Trust Service Provider)
and the services they offer compared with (EU Regulation) 910/2014 and /
or specific provisions adopted by the national authorities for the
services covered by the Accreditation Scheme."

Which apparently refers to the the following documents that list the
ETSI EN standards:
Italian:
https://www.accredia.it/app/uploads/2020/03/Circolare_tecnica_DC_05-2020.pdf
English:
https://www.accredia.it/app/uploads/2017/03/7015_DC2017SSV046eng.pdf
https://www.accredia.it/documento/circolare-dc-n-82017-informativa-in-merito-allaccreditamento-degli-organismi-di-certificazione-operanti-a-fronte-dei-requisiti-del-regolamento-ue-2014_910-eidas-e-della-norma-etsi-en-319_4/


Is that sufficient evidence that the CAB is certified by the NAB to
audit according to the ETSI EN 319 403, ETSI EN 319 401, ETSI EN 319
411-1, and ETSI EN 319 411-2 standards?

Thanks,
Kathleen






Ben Wilson

unread,
Aug 26, 2020, 3:29:23 PM8/26/20
to Kathleen Wilson, mozilla-dev-security-policy
In a draft template for audit attestations, provided by the ACAB'c, the
template would provide a URL to the NAB's certification of the CAB with a
statement that the NAB had certified the CAB to perform "certification of
trust services according to 'EN ISO/IEC 17065:2012' and 'ETSI EN 319 403
V2.2.2 (2015-08)' " but with a note that the CAB could update the template
based on actual certifications received from the NAB. This raises the
question of whether NABs typically include ETSI EN 319 401, ETSI EN 319
411-1 and ETSI EN 319 411-2 in such CAB certification records. If not,
maybe references to EN ISO/IEC 17065:2012 and ETSI EN 319 403 V2.2.2
(2015-08) would then need to be sufficient. That is something that would be
good to know.

Thanks, Kathleen

On Wed, Aug 26, 2020 at 12:54 PM Kathleen Wilson via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> On 6/3/20 4:20 PM, Kathleen Wilson wrote:
> > It recently came to my attention that I need to be more diligent in
> > verifying auditor qualifications.

Kathleen Wilson

unread,
Aug 26, 2020, 4:16:21 PM8/26/20
to mozilla-dev-s...@lists.mozilla.org
On 8/26/20 12:29 PM, Ben Wilson wrote:
> This raises the
> question of whether NABs typically include ETSI EN 319 401, ETSI EN 319
> 411-1 and ETSI EN 319 411-2 in such CAB certification records.


The answer to that question is yes, the other NABs typically do list
that information directly in the CAB certification records.

Here are a few examples:

https://www.enac.es/documents/7020/5ae31445-73fa-4e16-acc4-78e079375c4f

http://www.ipac.pt/pesquisa/ficha_ocp.asp?id=C0009

http://www.ukas.com/wp-content/uploads/schedule_uploads/00011/00295/0003Product%20Certification.pdf

http://www.cofrac.fr/annexes/sect5/5-0597.pdf

https://nah.gov.hu/uploads/attachment/file/7913/RO_3_-CERTOP_0034_K_2019_03_28.pdf


https://www.dakks.de/as/ast/d/D-ZE-16077-01-00.pdf

Cheers,
Kathleen

Nikolaos Soumelidis

unread,
Aug 26, 2020, 4:21:45 PM8/26/20
to Kathleen Wilson, mozilla-dev-security-policy
Dear Kathleen,

As you accurately pointed out, Accredia's Regulations (Circular No.8/2017 and the updated No.5/2020) enforces the use of ETSI EN 319 403 and the related ETSI EN 319 4xx standards by all its accredited CABs since the beginning of this accreditation.
The accreditation regulation is normative document for all CABs accredited by the NAB. In fact, in the case of Accredia, it has several additional requirements which go significantly beyond the requirements imposed by ETSI standards and the eIDAS Regulation (the latter applies for EU Qualified Certificates).

I can assure that QMSCERT has been evaluated according to this, and even though I cannot speak on behalf of Accredia, I am certain this applies to all CABs accredited by Accredia.

As per your observation about the lack of an explicit reference, we were also intrigued by this issue at the end of June, so we had already reached out to Accredia on July 3rd, 2020 (exactly for the same reason/question). One would expect that they would put that in the accreditation documents or references, but for some yet unknown reason they don't.

If you feel that this is necessary, we can reach out to them again and provide feedback as soon as we get it.

Best regards,
Nikolaos Soumelidis


-----Original Message-----
From: dev-security-policy <dev-security-...@lists.mozilla.org> On Behalf Of Kathleen Wilson via dev-security-policy
Sent: Wednesday, August 26, 2020 9:55 PM
To: mozilla-dev-s...@lists.mozilla.org
Subject: Re: Verifying Auditor Qualifications

On 6/3/20 4:20 PM, Kathleen Wilson wrote:
> It recently came to my attention that I need to be more diligent in
> verifying auditor qualifications.

Kathleen Wilson

unread,
Aug 26, 2020, 4:42:03 PM8/26/20
to mozilla-dev-s...@lists.mozilla.org
On 8/26/20 12:35 PM, Nikolaos Soumelidis wrote:
>
> One would expect that they would put that in the accreditation documents or references,
>

That helps answer part of my question -- that it is reasonable to expect
the NAB's accreditation document to specifically list these ETSI EN
standards.


> If you feel that this is necessary, we can reach out to them again and provide feedback as soon as we get it.

I will greatly appreciate it if you can reach out to them again. Please
let me know what information you would need.

According to the instructions for verifying ETSI auditor qualifications
(https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check) it is
necessary that there be something on the NAB's website that clearly
indicates that the CAB is accredited to perform audits for those
specific standards. So my question in this m.d.s.p forum is: Is the
information currently provided by Accredia specific enough, or do we
need to get Accredia to update their documentation process?

Note that with the exception of 4 CABs accredited by Accredia and 1 CAB
accredited by CAI, I was able to complete
https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check for the CABs
used by CAs in Mozilla's root store.
The 5 CABs that I haven't been able to complete the Standard Check for are:

- Bureau Veritas Italia S.p.A. - NAB is Accredia
- CSQA - NAB is Accredia
- KIWA - NAB is Accredia
- QMSCERT - NAB is Accredia
- QSCert - NAB is CAI

Thanks,
Kathleen

Nikolaos Soumelidis

unread,
Aug 26, 2020, 5:01:27 PM8/26/20
to Kathleen Wilson, mozilla-dev-s...@lists.mozilla.org
>> I will greatly appreciate it if you can reach out to them again. Please
let me know what information you would need.

Will definitely do. Probably no other information will be needed by you, but
I do appreciate the offer.


>> Note that with the exception of 4 CABs accredited by Accredia and 1 CAB
accredited by CAI, I was able to complete >>
https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check for the CABs
used by CAs in Mozilla's root store.
The 5 CABs that I haven't been able to complete the Standard Check for are:

- Bureau Veritas Italia S.p.A. - NAB is Accredia
- CSQA - NAB is Accredia
- KIWA - NAB is Accredia
- QMSCERT - NAB is Accredia
- QSCert - NAB is CAI

Please note that in the case of QMSCERT ("A" member of ACAB'C),
https://wiki.mozilla.org/CA/Audit_Statements#Simplified_Check applies.

Best regards,
Nikolaos Soumelidis

Kathleen Wilson

unread,
Aug 26, 2020, 5:11:04 PM8/26/20
to mozilla-dev-s...@lists.mozilla.org
On 8/26/20 2:01 PM, Nikolaos Soumelidis wrote:
>>> I will greatly appreciate it if you can reach out to them again. Please
> let me know what information you would need.
>
> Will definitely do. Probably no other information will be needed by you, but
> I do appreciate the offer.
>

Thanks!

>
>
> Please note that in the case of QMSCERT ("A" member of ACAB'C),
> https://wiki.mozilla.org/CA/Audit_Statements#Simplified_Check applies.



https://wiki.mozilla.org/CA/Audit_Statements#Simplified_Check
"IMPORTANT: At this time, this check may only be used as a preliminary
check, and the Standard Check must also be completed."

But the ACAB'c list is very helpful, with the direct link to the
accreditation attestation for each ACAB.

Kathleen Wilson

unread,
Aug 28, 2020, 6:59:34 PM8/28/20
to mozilla-dev-s...@lists.mozilla.org
On 8/26/20 1:41 PM, Kathleen Wilson wrote:
> The 5 CABs that I haven't been able to complete the Standard Check for are:
>
> - Bureau Veritas Italia S.p.A. - NAB is Accredia
> - CSQA - NAB is Accredia
> - KIWA - NAB is Accredia
> - QMSCERT - NAB is Accredia
> - QSCert - NAB is CAI
>

Update: I received email from Accredia declaring the ETSI EN standards
that the KIWA CAB is accredited for. I think it is reasonable to accept
that for this auditor's re-verification. And I have asked that KIWA
request Accredia to provide this information directly on their website
for future reference.

Kathleen Wilson

unread,
Aug 31, 2020, 2:07:24 PM8/31/20
to mozilla-dev-s...@lists.mozilla.org
Updates:

1) I received email from Accredia declaring the ETSI EN standards that
the QMSCERT CAB is accredited for, and I will accept that for now.

2) The email from Accredia also said "We are working to provide this
information directly on our website for future references."

3)
https://ec.europa.eu/futurium/en/content/list-conformity-assessment-bodies-cabs-accredited-against-requirements-eidas-regulation
was updated to provide the updated
list_of_eidas_accredited_cabs-2020-08-28.pdf

Note: The
https://ec.europa.eu/futurium/en/content/list-conformity-assessment-bodies-cabs-accredited-against-requirements-eidas-regulation
site says:
"Please note that the list is an informative tool."
So, the list_of_eidas_accredited_cabs-2020-08-28.pdf is not in itself
sufficient proof of a CAB's qualifications. It is very helpful in making
it easy to find the NAB and CAB accreditation information, but we must
still check the NAB and CAB accreditation information and make sure the
CAB accreditation document lists the ETSI EN 319 403, ETSI EN 319 401,
ETSI EN 319 411-1, and ETSI EN 319 411-2 standards as per
https://wiki.mozilla.org/CA/Audit_Statements#Standard_Check

Thanks to all of you who have been helping with this!

Kathleen

Kathleen Wilson

unread,
Sep 1, 2020, 2:47:32 PM9/1/20
to mozilla-dev-s...@lists.mozilla.org
that the Bureau Veritas Italia S.p.A. and CSQA CABs are accredited for,
and I will accept those for now.

So the remaining CAB that I still need to verify is QSCert, and I filed
the following bug for it:

https://bugzilla.mozilla.org/show_bug.cgi?id=1662533

Thanks,
Kathleen

Nikolaos Soumelidis

unread,
Oct 12, 2020, 2:06:52 AM10/12/20
to Kathleen Wilson, mozilla-dev-s...@lists.mozilla.org
Dear Kathleen,

We have been informed by ACCREDIA that the accreditation pages have now been updated to include ETSI EN 319 403. This removes any ambiguity.

URLs remain the same; for example, QMSCERT's accreditation:
https://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=3761&PPSEARCH_ORG_SEARCH_MASK_SCHEMI=&PPSEARCH_ORG_SEARCH_MASK_SCHEMI_ALTRI=&PPSEARCH_ODC_SEARCH_MASK_SETTORE_ACCR=&PPSEARCH_ORG_SEARCH_MASK_CITTA=&PPSEARCH_ORG_SEARCH_MASK_PROVINCIA=&PPSEARCH_ORG_SEARCH_MASK_REGIONE=&PPSEARCH_ORG_SEARCH_MASK_STATO=&orgtype=all&PPSEARCH_ORG_SEARCH_MASK_SCOPO=&PPSEARCH_ORG_SEARCH_MASK_PDFACCREDITAMENTO=&submitBtn=Cerca

>From a quick check, this applies for the other ACCREDIA CABs as well.

In addition to the above fix, the new accreditation documents will include similar explicit references.

Best regards,
Nikolaos Soumelidis

-----Original Message-----
From: dev-security-policy <dev-security-...@lists.mozilla.org> On Behalf Of Kathleen Wilson via dev-security-policy
Sent: Tuesday, September 1, 2020 9:47 PM
To: mozilla-dev-s...@lists.mozilla.org
Subject: Re: Verifying Auditor Qualifications

On 8/31/20 11:07 AM, Kathleen Wilson wrote:
Update: I received email from Accredia declaring the ETSI EN standards that the Bureau Veritas Italia S.p.A. and CSQA CABs are accredited for, and I will accept those for now.

So the remaining CAB that I still need to verify is QSCert, and I filed the following bug for it:

https://bugzilla.mozilla.org/show_bug.cgi?id=1662533

Kathleen Wilson

unread,
Oct 12, 2020, 2:04:57 PM10/12/20
to mozilla-dev-s...@lists.mozilla.org
On 10/11/20 11:06 PM, Nikolaos Soumelidis wrote:
> Dear Kathleen,
>
> We have been informed by ACCREDIA that the accreditation pages have now been updated to include ETSI EN 319 403. This removes any ambiguity.
>
> URLs remain the same; for example, QMSCERT's accreditation:
> https://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=3761&PPSEARCH_ORG_SEARCH_MASK_SCHEMI=&PPSEARCH_ORG_SEARCH_MASK_SCHEMI_ALTRI=&PPSEARCH_ODC_SEARCH_MASK_SETTORE_ACCR=&PPSEARCH_ORG_SEARCH_MASK_CITTA=&PPSEARCH_ORG_SEARCH_MASK_PROVINCIA=&PPSEARCH_ORG_SEARCH_MASK_REGIONE=&PPSEARCH_ORG_SEARCH_MASK_STATO=&orgtype=all&PPSEARCH_ORG_SEARCH_MASK_SCOPO=&PPSEARCH_ORG_SEARCH_MASK_PDFACCREDITAMENTO=&submitBtn=Cerca
>
>>From a quick check, this applies for the other ACCREDIA CABs as well.
>
> In addition to the above fix, the new accreditation documents will include similar explicit references.
>
> Best regards,
> Nikolaos Soumelidis
>

Thanks for letting me know. I have updated the corresponding auditor
qualifications in the CCADB, since ACCREDIA now provides the required
information directly on their website.

Thanks!
Kathleen


Reply all
Reply to author
Forward
0 new messages