[cabfpub] When to stop accepting old ETSI audits?

Dimitris Zacharopoulos jimmy at it.auth.gr
Tue Nov 29 12:18:35 UTC 2016

On 29/11/2016 1:13 μμ, Gervase Markham wrote:
> On 29/11/16 09:33, Dimitris Zacharopoulos via Public wrote:
>> We do hope that more CABs will have completed their accreditation
>> process by July 2017 but what if the NABs require more time? In the
> So your suggestion is that we continue to accept audits against either
> set of criteria until the situation is more clear? I.e. that there's no
> point setting a cut-off date now?

I am not against the cut-off date of July 1st 2017 for the TS criteria. 
My suggestion was for Mozilla to accept audit reports with the new 
standards (EN) from CABs that are currently accredited by NABs against 
ISO 17065 (the new EN criteria's core audit scheme) for the transition 
year (say until July 2018). This should be enough time for NABs to 
create the appropriate criteria for CABs to be accredited against ETSI 
EN 319 403. We could revisit this around April 2017 and see how many 
CABs are accredited against 17065+EN319403 and re-assess the requirements.

> Here's an alternative question: if we were to set a cut-off date at some
> point in the future, how much lead time would ETSI-audited CAs need?
> Obviously, if I said "OK, all new audits have to be the new standard,
> starting tomorrow", and you were right in the middle of your audit, that
> would be rather irritating. Would 3 months be sufficient between the
> setting of the date and the date itself?
> Gerv

The controls that are audited between the two standards (TS and EN) are 
almost the same. This means that even if a CA is currently being audited 
with the TS criteria and decide to change to the new EN criteria, their 
auditor will probably not need to check the same controls again (because 
they have already verified most of these controls). Auditors would only 
need to re-map the numbering of most of the findings but this process is 
in the auditor's discretion. Of course, criteria that exists only in the 
EN standards and not the TS will have to be verified but IMHO that 
doesn't void all the work that already took place. The worse case 
scenario would be for a CAB to be only allowed to conduct ETSI TS 102 
042 audits and not EN 319 411-1, which means that a CA will have to 
change the auditor. In that case, I'm not sure if 3 months is sufficient 
for CAs to switch auditor, perform a full audit and get the audit 
report. I guess it depends on the size of the CA :)


More information about the Public mailing list