CA/Audit Statements: Difference between revisions

Jump to navigation Jump to search

CA/Audit Statements (view source)

Revision as of 18:29, 25 April 2023

1,672 bytes removed ,  25 April 2023
MSRP now requires ETSI auditors to be listed as members of ACAB'c.
(→‎Providing Auditor Qualifications: Attempt to clarify language)
(MSRP now requires ETSI auditors to be listed as members of ACAB'c.)
Line 138: Line 138:


== Verifying ETSI Auditor Qualifications ==
== Verifying ETSI Auditor Qualifications ==
For ETSI auditors, a representative of Mozilla checks to verify the qualifications of both the National Accreditation Body (NAB) and the Conformity Assessment Body (CAB) which is the auditor.
For ETSI auditors, a representative of Mozilla confirms that the auditor's name and [https://european-accreditation.org/ea-%20members/directory-of-ea-members-and-mla-signatories/ Accreditation Attestation] are listed in https://www.acab-c.com/members/.  


==== Simplified Check ====
Send email to secretary@acab-c.org for more information about this list or about the process to become a accredited auditor for Trust Services under the EU eIDAS scheme following ETSI normative requirements as applicable to serve the [https://cabforum.org/ CA/B Forum] ecosystem and the [https://www.mozilla.org/projects/security/certs/policy/ Mozilla Browser Root Store Policy].
''IMPORTANT'': At this time, this check may only be used as a preliminary check, and the Standard Check must also be completed. ([https://groups.google.com/d/msg/mozilla.dev.security.policy/jBFkGwPXF-Y/mpSzMl7iBwAJ reference])
<br /><br />
Check whether the accredited CAB is listed as ACAB’c member in https://www.acab-c.com/acab-c-members
* All ACAB’c member CABs were carefully vetted that they:
*# possess the required accreditation as per the Standard Check;
*# have signed the [https://www.acab-c.com/terms-conditions-and-policies/ ACAB’c code of conduct]; and
*# use the Audit Attestation template agreed with the Browsers via the CA/Browser Forum.
 
==== Standard Check ====
* Require the ETSI auditor to provide as evidence links to their National Accreditation Body (NAB) and their accreditation documentation, listed by the NAB on their webpages.
** For some ETSI auditors this information may be found here: https://ec.europa.eu/futurium/en/content/list-conformity-assessment-bodies-cabs-accredited-against-requirements-eidas-regulation
*** This list is an informative tool to make it easier to find the information below that must be confirmed directly via the ea-members list and the CAB's accreditation documentation on the NAB's website.
* Confirm the following:
** The NAB is listed as “full member” under https://european-accreditation.org/ea-members/directory-of-ea-members-and-mla-signatories/
** The accreditation documentation was issued by that NAB and is hosted on the NAB's website
** The CAB's accreditation documentation explicitly refers to all of the following:
*** ETSI EN 319 403
**** as the relevant standard for the CAB to perform ETSI audits, allocated under ISO/IEC 17065 as framing standard.
**** The EU eIDAS Regulation 910/2014 can be listed to supplement that information but – alone – is not sufficient to demonstrate ETSI auditors qualification.
*** ETSI EN 319 401 and ETSI EN 319 411-1
**** as standards to audit publicly trusted CA/Trust Service Provider
*** ETSI EN 319 411-2
**** as standard to audit publicly trusted CA/Trust Service Provider
**** which issue QWACS certificates according to the EU eIDAS Regulation 910/2014.


==== Comprehensive Check ====
==== Comprehensive Check ====
This check is only needed if the Standard Check was not successful.
The following additional check is only needed if the auditor's name and Accreditation Attestation are not listed in https://www.acab-c.com/members/.  
* Require the ETSI auditor to provide a comprehensive written explanation about why they are not conformant with the above mentioned scheme. The auditor must provide a rationale clearly referring back to all of the following:  
* Require the ETSI auditor to provide a comprehensive written explanation about why they are not listed in not listed in https://www.acab-c.com/members/
* The auditor must provide a rationale clearly referring back to all of the following:
** European Accreditation to demonstrate they act under the EU accreditation scheme,
** European Accreditation to demonstrate they act under the EU accreditation scheme,
** ISO/IEC 17065 plus ETSI EN 319 403 to demonstrate they are accredited/allowed to audit publicly trusted CA/Trust Service Provider according to ETSI EN 319 401 and ETSI EN 319 411-1 and
** ISO/IEC 17065 plus ETSI EN 319 403-1 to demonstrate they are accredited/allowed to audit publicly trusted CA/Trust Service Provider according to
** ETSI EN 319 411-2 for QWACS certificates according to the EU eIDAS Regulation 910/2014.
*** ETSI EN 319 401 and ETSI EN 319 411-1 and
*** ETSI EN 319 411-2 for QWACS certificates according to the EU eIDAS Regulation 910/2014.
* Review the documents and explanation.
* Review the documents and explanation.
* Request external review from ACAB’c to provide opinion about the CAB's accreditation.
* Request external review from ACAB’c to provide opinion about the CAB's accreditation.
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1246287"

Navigation menu