CA/Audit Statements: Difference between revisions

For ETSI auditors, a representative of Mozilla performs the following steps to verify the qualifications of both the auditor which is the Conformity Assessment Body (CAB), and the National Accreditation Body (NAB).

* Find the name and location of the NAB

** There is a voluntary, informative (and potentially out-of-date) list here: https://ec.europa.eu/futurium/en/content/list-conformity-assessment-bodies-cabs-accredited-against-requirements-eidas-regulation

** The CAB should indicate the NAB and their Certificate. Confirm the Certificate with the NAB (of which they're all required to have online search capabilities, per the ISO/IEC standards the NABs themselves implement), and then look for either ETSI or ISO 17065.

* Make sure the NAB is listed at European Accreditation via https://european-accreditation.org/

** Check that the scope of the NAB includes ???

* Within the NAB, perform a search for the CAB (taking care to make sure the addresses match)

* The CAB either needs to be assessed against ISO 17065 (per EN 319 403) or against the ETSI standards themselves (for those NABs that do so)

** Notably: QWACs are allowed to be issued based on standards other than ETSI, so if the CAB asserts that they're assessed against (national scheme), that's not necessarily sufficient to prove they meet the BRs or the Mozilla Policy. An example of this might be tScheme or the GOV.UK ID Scheme, the former which is not qualified and the latter which is a "notified scheme" (aka QWAC issuer), but neither of these use the ETSI guidelines and so neither meet the BRs / Mozilla Policy, and are more akin to "Government equivalent audits"

** Also note that the NAB an auditor is assessed against MAY NOT be the NAB in which they're headquartered, depending on complexities around the mutual recognition treaties