> should require annual reviews as well as provide more detail on what > comprises a "Competent Party" (is it an auditor with professional > obligations, or simply someone who's been around the block?).
I fully agree, and consider this the fundamental issue with this particular inclusion request (judging from https://bugzilla.mozilla.org/show_bug.cgi?id=289077#c18, the primary business of the company in question seems to be consulting, not auditing). CEN Workshop Agreement 14172, Part 2 ("EESSI Conformity Assessment Guidance - Part 2: Certification Authority services and processes", ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/cwa14172-02-2004-Mar.pdf) e.g. has a detailed list of requirements for such a "competent independent party". It should be observed when assessing against any of the two ETSI policy requirement standards. Kaspar _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
