[cabfpub] Baseline requirements for codesigning - Feb 4 2015.doc
i-barreira at izenpe.net
i-barreira at izenpe.net
Fri Feb 13 08:16:20 UTC 2015
Dear Jody,
I understand your concern because it´s not easy for you to manage all possible combinations regarding ETSI audits in different countries so will try to clarify your example.
First of all, no AuditCo has to be member of ETSI, AuditCo can perform ETSI accredited audits without being member of ETSI, they only need to be accredited in their country as stated in Annex E requirements.
So,
For example,
· Company A is a commercial CA that operates in Israel
· Auditor Jones works for AuditCo, which is based in Israel
· AuditCo is certified by some governmental agency as a qualified auditor
IBà AuditCo has to be accredited under its National Accreditation Body according to ISO 17021. In the case of Israel, to follow the example, in the associated members tab of the EA, you can find the Israeli accreditation body, called ISRAC. Then AuditCo should be listed there and meeting the requirements to perform ETSI audits according to the national scheme indicated by ISRAC
· AuditCo is not an ETSI Member or Associate Member
IB à this is not necessary. No need to be an ETSI member to perform ETSI audits
· Auditor Jones audits Company A using the ETSI 102042 standard, and Company A sends the auditor's attestation letter to Microsoft as evidence that Company A complied with the Program's requirements.
IBà this is perfectly valid if AuditCo is listed in ISRAC and is allowed to perform ETSI audits. Of course Auditor Jones has to be also accredited to perform these kind of audits, has to be "qualified", so it´s not only the company but also the auditor, but that´s an internal task of the AuditCo.
Regarding of being member of not, this is voluntary, they can join ETSI or not and don´t think that solve the problem because joining ETSI does not mean that you´re "qualified" or "accredited" to perform an ETSI audit, it´s just indicate that you belong to a club for example.
And of course, if company A needs an auditing company accredited in Israel and there´s none, they can look for in other countries. For example, in Spain there´s no accredited auditing bodies to perform ETSI audits listed in our NAB, called ENAC, so, we, Izenpe, had to look for another option. So, we contacted for the first 6 years with KPMG in the Netherlands, and the last 3, with TUV IT in Germany. And Izenpe has an accredited ETSI audits according to the, right now, German national scheme and we´re listed in Germany.
We´ll debate this within ETSI ESI trying to find an easier solution.
Regards
Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net <mailto:i-barreira at izenpe.net>
945067705
ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.
De: Jody Cloutier [mailto:jodycl at microsoft.com]
Enviado el: miércoles, 11 de febrero de 2015 0:32
Para: Barreira Iglesias, Iñigo; public at cabforum.org
Asunto: RE: [cabfpub] Baseline requirements for codesigning - Feb 4 2015.doc
Thank you, Inigo.
I think the problem is that, under ETSI, it's difficult to discern what an "equivalent national scheme" is. This sets up the scenario in which an auditor is employed by an organization that is recognized somehow by the government, but is not affiliated with an ETSI member organization (http://www.european-accreditation.org/home ). Microsoft does not know whether or not this auditor is qualified or not.
For example,
· Company A is a commercial CA that operates in Israel
· Auditor Jones works for AuditCo, which is based in Israel
· AuditCo is certified by some governmental agency as a qualified auditor
· AuditCo is not an ETSI Member or Associate Member
· Auditor Jones audits Company A using the ETSI 102042 standard, and Company A sends the auditor's attestation letter to Microsoft as evidence that Company A complied with the Program's requirements.
In this scenario, how does Microsoft know that Auditor Jones conducted a proper audit without expending significant resources to determine whether and according to what standard AuditCo and Auditor Jones was certified?
Microsoft believes that it would be simpler if the requirements were that the Auditor must work for a company that is affiliated with an ETSI-approved member organization. If Company A needs an auditor and there is no qualified auditor in Israel, the company can use an auditor from a member organization via the cross-border conformity rules.
Unless I am fundamentally misunderstanding the rules, the above is something that Microsoft is presently struggling with, and we'd like to try to make the rules easier to understand for potential partners and ourselves.
Jody Cloutier
Senior Security Program Manager
Microsoft Trusted Root Certificate Program <http://aka.ms/rootcert>
jody.cloutier at microsoft.com <mailto:jody.cloutier at microsoft.com>
425.443.8922
Operating Systems Group Global Risk and Compliance
<http://microsoft.com/>
From: i-barreira at izenpe.net [mailto:i-barreira at izenpe.net]
Sent: Tuesday, February 10, 2015 3:09 AM
To: Jody Cloutier; public at cabforum.org
Subject: RE: [cabfpub] Baseline requirements for codesigning - Feb 4 2015.doc
Hi Jody,
Regarding your comment on ETSI audits, I have to say that the ETSI audits shall be performed by accredited auditors as mentioned in Annex E of the current ETSI TS 102 042. ETSI audits performed by not accredited auditors shall be considered invalid.
Microsoft is accepting ETSI audits since the very beginning in its root program requirements indicating this requirement. ETSI is providing a list of accredited auditors as mere information because has to be maintained by every NAB (National Accreditation Body).
It´s true that this has to be improved regarding the new regulation 910/2014 and the new ENs and will take some time, but at the moment, it´s clearly stated that the audits shall be performed by accredited auditors.
Don´t hesitate in contacting me for any additional information or help. Sometimes I´ve received some emails from Tom or Kelvin asking for the qualification of some audits, so, as say, you can contact me regarding this issue.
Regards
Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net <mailto:i-barreira at izenpe.net>
945067705
ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.
De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Jody Cloutier
Enviado el: lunes, 09 de febrero de 2015 18:55
Para: CABFPub (public at cabforum.org)
Asunto: [cabfpub] Baseline requirements for codesigning - Feb 4 2015.doc
Microsoft comments on Section 17.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150213/f5643dcd/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 19121 bytes
Desc: image001.png
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150213/f5643dcd/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1181 bytes
Desc: image002.png
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150213/f5643dcd/attachment-0007.png>
More information about the Public
mailing list