Confirmed users, Administrators
5,526
edits
CA/Audit Statements: Difference between revisions
Jump to navigation
Jump to search
Added Auditor Qualifications section
(Fixed typo - Mozilla'a -> Mozilla's) |
(Added Auditor Qualifications section) |
||
| Line 149: | Line 149: | ||
* Using the work of another auditor, whereby the lead auditor verifies the independence, qualifications and technical competency of another firm that can do a portion of the work, and the lead auditor directs the work, plans, supervises and reviews the other auditor’s work, taking ultimate responsibility. In this case, no mention of the other firm is made in the report as the lead auditor is taking responsibility for the other firm’s work. | * Using the work of another auditor, whereby the lead auditor verifies the independence, qualifications and technical competency of another firm that can do a portion of the work, and the lead auditor directs the work, plans, supervises and reviews the other auditor’s work, taking ultimate responsibility. In this case, no mention of the other firm is made in the report as the lead auditor is taking responsibility for the other firm’s work. | ||
* Using technology to observe physical controls and underlying documents/artifacts via remote means, such as video. In this case, the auditor must ensure the authenticity, integrity, security and confidentiality of the transmission. | * Using technology to observe physical controls and underlying documents/artifacts via remote means, such as video. In this case, the auditor must ensure the authenticity, integrity, security and confidentiality of the transmission. | ||
= Auditor Qualifications = | |||
Section [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#32-auditors 3.2 of Mozilla's Root Store Policy] says: "Mozilla requires that audits MUST be performed by a Qualified Auditor, as defined in the Baseline Requirements section 8.2." | |||
Section 8.2 of the [https://cabforum.org/baseline-requirements-documents/ Baseline Requirements] says: | |||
The CA’s audit SHALL be performed by a Qualified Auditor. A Qualified Auditor means a natural person, Legal Entity, or group of natural persons or Legal Entities that collectively possess the following qualifications and skills: | |||
# Independence from the subject of the audit; | |||
# The ability to conduct an audit that addresses the criteria specified in an Eligible Audit Scheme (see Section 8.1); | |||
# Employs individuals who have proficiency in examining Public Key Infrastructure technology, information security tools and techniques, information technology and security auditing, and the third-party attestation function; | |||
# (For audits conducted in accordance with any one of the ETSI standards) accredited in accordance with ISO 17065 applying the requirements specified in ETSI EN 319 403; | |||
# (For audits conducted in accordance with the WebTrust standard) licensed by WebTrust; | |||
# Bound by law, government regulation, or professional code of ethics; and | |||
# Except in the case of an Internal Government Auditing Agency, maintains Professional Liability/Errors & Omissions insurance with policy limits of at least one million US dollars in coverage. | |||
== Verifying Auditor Qualifications == | |||
To verify the auditor qualifications, a representative of Mozilla does the following. | |||
For WebTrust auditors, confirm that the auditor's name and country are listed in [https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/licensed-webtrust-practitioners-international CPA Canada's Licensed WebTrust practitioners web page]. | |||
For ETSI auditors, both the National Accreditation Body (NAB) and the Conformity Assessment Body (CAB) must be verified, as follows. | |||
* Find the name and location of the NAB | |||
** There is a voluntary, informative (and potentially out-of-date) list here: https://ec.europa.eu/futurium/en/content/list-conformity-assessment-bodies-cabs-accredited-against-requirements-eidas-regulation | |||
** The CAB should indicate the NAB and their Certificate. Confirm the Certificate with the NAB (of which they're all required to have online search capabilities, per the ISO/IEC standards the NABs themselves implement), and then look for either ETSI or ISO 17065. | |||
* Make sure the NAB is listed at European Accreditation via https://european-accreditation.org/ | |||
** Check that the scope of the NAB includes ??? | |||
* Within the NAB, perform a search for the CAB (taking care to make sure the addresses match) | |||
* The CAB either needs to be assessed against ISO 17065 (per EN 319 403) or against the ETSI standards themselves (for those NABs that do so) | |||
** Notably: QWACs are allowed to be issued based on standards other than ETSI, so if the CAB asserts that they're assessed against (national scheme), that's not necessarily sufficient to prove they meet the BRs or the Mozilla Policy. An example of this might be tScheme or the GOV.UK ID Scheme, the former which is not qualified and the latter which is a "notified scheme" (aka QWAC issuer), but neither of these use the ETSI guidelines and so neither meet the BRs / Mozilla Policy, and are more akin to "Government equivalent audits" | |||
** Also note that the NAB an auditor is assessed against MAY NOT be the NAB in which they're headquartered, depending on complexities around the mutual recognition treaties | |||