[cabfpub] When to stop accepting old ETSI audits?

Dimitris Zacharopoulos jimmy at it.auth.gr
Tue Nov 29 09:33:02 UTC 2016 

On 29/11/2016 9:10 πμ, Miskovic Peter via Public wrote:
>
> Hi Richard,
>
> according my opinion this is true only for those audits which TSP 
> shall provide for the supervisory body (eIDAS Regulation Article 17) 
> at least every 24 month. Mozilla is not such supervisory body so it’s 
> on their decision what will be accepted. I agree with Inigo and 
> Moudrick that the July 1, 2017 is reasonable date because at June 30, 
> 2017 ends transitional measure (eIDAS Regulation, Artice 51 (3)) for 
> submitting conformity assessment report to the supervisory body 
> according eIDAS regulation. So all EU TSP  which are qualified TSP now 
> due the transitional measure (eIDAS Regulation, Artice 51 (3))  still 
> has a time to wait  with such type of audit.
>
> Regards
>
> Peter
>


I agree with Peter Μ.,

If a TSP wants to only issue SSL certificates, the supervisory body and 
eIDAS is out of the picture. I assume Mozilla is only interested in 
seeing an audit report against ETSI EN 319 411-1 from an accredited 
Conformance Accreditation Body (CAB).

Now, the problem most EU Member States are facing even today (as many 
delegates have stated several times already) is that most National 
Accreditation Bodies (NABs) haven't completed the ETSI EN 319 403 
accreditation process for CABs. This leaves only a very few CABs 
accredited for the new scheme. Even today, the ACAB-c list only two CABs 
http://www.acab-c.com/accredited-bodies/ (LSTI, France and TUV-IT, 
Germany). There may be more but one would have to look at the web site 
of each Member State's NAB.

We do hope that more CABs will have completed their accreditation 
process by July 2017 but what if the NABs require more time? In the 
Bilbao F2F meeting <https://cabforum.org/2016/05/25/2016-05>, I recall 
discussing that one of the main differences between the TS 102 042 and 
EN 319 411-1 in terms of auditing, is the auditor accreditation scheme. 
In EN 319 411-1, the auditor's base accreditation scheme is ISO 17065 
and there are many CABs already accredited for that. The main problem 
for NABs is the lack of criteria for CAB accreditation against ETSI EN 
319 403 on top of ISO 17065. There may be a transitional period where an 
ISO 17065 CAB accreditation is sufficient to audit against EN 319-411-1 
until more NABs establish criteria for accreditation with EN 319 403.

Dimitris.


> *From:*Public [mailto:public-bounces at cabforum.org] *On Behalf Of 
> *tScheme Technical Manager via Public
> *Sent:* Tuesday, November 29, 2016 12:59 AM
> *To:* 'Moudrick M. Dadashov' <md at ssc.lt>; 'CA/Browser Forum Public 
> Discussion List' <public at cabforum.org>
> *Cc:* tScheme Technical Manager <richard.trevorah at tScheme.org>
> *Subject:* Re: [cabfpub] When to stop accepting old ETSI audits?
>
> That is certainly true in some Member States (UK included) but is 
> doesn’t alter fact that eIDAS came into force on 1^st July 2016 and 
> any Conformity Assessment Report submitted after that date would have 
> to demonstrate compliance with the eIDAS regulation – and the old ETSI 
> TS are not sufficient for that purpose.
>
> However, I believe that some MS have produced their Supervisory Body 
> requirements (e.g. LU, MT & SE) and there are also some very detailed 
> guidelines being drafted by ENISA that can be viewed at 
> https://www.enisa.europa.eu/topics/trust-services/guidelines/
>
> Cheers
>
> Richard
>
> ------------------------------------
> Richard Trevorah
> Technical Manager
> tScheme Limited
>
> M: +44 (0) 781 809 4728
> F: +44 (0) 870 005 6311
>
> http://www.tscheme.org
> ------------------------------------
>
> The information in this message and, if present, any attachments are 
> intended solely for the attention and use of the named addressee(s). 
> The content of this e-mail and its attachments is confidential and may 
> be legally privileged. Unless otherwise stated, any use or disclosure 
> is unauthorised and may be unlawful.
>
> If you are not the intended recipient, please delete the message and 
> any attachments and notify the sender as soon as practicable
>
> *From:*Moudrick M. Dadashov [mailto:md at ssc.lt]
> *Sent:* 28 November 2016 23:33
> *To:* tScheme Technical Manager; 'CA/Browser Forum Public Discussion List'
> *Subject:* Re: [cabfpub] When to stop accepting old ETSI audits?
>
> Indeed, Richard, but unfortunately what used to be a single step 
> (audit) now needs two steps - the TSPs need to meet also the 
> [non-existing] supervisor requirements.
>
> Thanks,
> M.D.
>
> On 11/29/2016 1:05 AM, tScheme Technical Manager wrote:
>
>     Technically, eIDAS gave July 2016 as the cutoff but allowed one
>     year for transition. However, it states that any audits after July
>     2016 must use new requirements.
>
>     Cheers
>
>     Richard
>
>     ------------------------------------
>     Richard Trevorah
>     Technical Manager
>     tScheme Limited
>
>     M: +44 (0) 781 809 4728
>     F: +44 (0) 870 005 6311
>
>     http://www.tscheme.org
>     ------------------------------------
>
>     The information in this message and, if present, any attachments
>     are intended solely for the attention and use of the named
>     addressee(s). The content of this e-mail and its attachments is
>     confidential and may be legally privileged. Unless otherwise
>     stated, any use or disclosure is unauthorised and may be unlawful.
>
>     If you are not the intended recipient, please delete the message
>     and any attachments and notify the sender as soon as practicable
>
>     *From:*Public [mailto:public-bounces at cabforum.org] *On Behalf Of
>     *Moudrick M. Dadashov via Public
>     *Sent:* 28 November 2016 22:59
>     *To:* CA/Browser Forum Public Discussion List
>     *Cc:* Moudrick M. Dadashov
>     *Subject:* Re: [cabfpub] When to stop accepting old ETSI audits?
>
>     Yes, July 2017 is reasonable - the new ones require extra
>     bureaucracy with the supervisors.
>
>     Thanks,
>     M.D.
>
>     On 11/28/2016 3:44 PM, Gervase Markham via Public wrote:
>
>         Dear CAB Forum members,
>
>         Ballot 171, passed on 1st July 2016, updated the BRs to remove
>         the old
>
>         ETSI criteria (ETSI TS 101 456 V1.4.3 or ETSI TS 102 042
>         V2.3.1) and add
>
>         the new ones (ETSI EN 319 411-1 v1.1.1 or ETSI EN 319 411-2
>         v2.1.1).
>
>         This change was made in BRs v.1.3.6. However, no dates were
>         associated
>
>         with the change.
>
>         Mozilla CA Policy 2.3 (about to be published) permits either
>         set of
>
>         criteria to be used.
>
>         By what date would it be reasonable for Mozilla to require
>         that all new
>
>         ETSI audits use the new criteria?
>
>         Inigo says that eIDAS (which, of course, refers only to the
>         issuance of
>
>         Qualified certificates) have specified July 2017 as the end
>         date for the
>
>         old criteria. Would that be a reasonable choice?
>
>         Gerv
>
>         _______________________________________________
>
>         Public mailing list
>
>         Public at cabforum.org <mailto:Public at cabforum.org>
>
>         https://cabforum.org/mailman/listinfo/public
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161129/713f03a9/attachment-0003.html>

More information about the Public mailing list