IAF CertSearch is an Absolute Mess

IAF CertSearch was heralded as the solution to the proliferation of fake ISO certificates around the globe. Yet it has failed miserably. Let’s see what’s wrong with it.

Did I Do That?

Ironically, CertSearch arose after I presented a speech to the Independent Association of Accredited Registrars (IAAR) in the US, a weirdo cabal of certification and accreditation bodies that is definitely, most certainly, not involved in any illegal price-fixing. (Snort.) At that meeting, I implored ANAB and others to create a universal database of certificates to stop the flood of fake ones. Bob King, the head of ANAB, Reg Blake of BSI, and Pierre Salle of IAAR all dismissed the speech as paranoid rambling. They didn’t agree that “certificate mills” would ever become a problem.

History proved them wrong about five minutes after that meeting, and now their number one competition is the growth of fake certs.

Present at that meeting, however, was ANAB’s then-VP, Randy Dougherty, who was also heading up the IAF at the time. Randy went back and talked to his friend, software developer Jerry Norris, about creating the universal database. At some point, IAF kicked Norris to the curb and farmed the project out to Quality Trade in Australia. And those clowns promptly fucked it all up.

Quality Trade’s product eventually became CertSearch for IAF and a UKAS-branded version called CertCheck, for the UK. (Yeah, it was always weird that UKAS got exclusive access to the CertSearch code, while no other IAF members did. So much for not playing favorites, eh, IAF?)

Now, to be clear, I have no proof that all of this started after my speech at IAAR. But the timing and attendance at that meeting certainly suggest this.

Really Bad Code, No Basic Features

The huge issue with CertSearch is the absolutely low level of tech used in the thing. It’s as if someone created a MySQL database back in 2002 and thought, sure, let’s do that in the 2020s as soon as my AOL account boots up. Then, because they were either spiteful or incompetent, the removed basic features a 2002 web database would have already had.

So, what features are missing or broken? Let’s take a look:

• Search results don’t actually produce an image or PDF of the certificate issued, and there’s no way to verify a cert you might find on the web with the most recent actual cert that was issued. Bad actors can use Photoshop certs to change scope, add addresses, etc., and you’d never know it.
• The results don’t show any IAF industry codes, which is stunning since CertSearch is literally an IAF thing. So you have no way of knowing what industries are actually covered by a certificate.
• The information about the CB granting the certificate is either incomplete or wholly inaccurate (and potentially fraudulent). For example, the results don’t show which CB office issued the certificate. Was it the CB’s headquarters in Austria or its shady operation in Qatar? That’s a key component that is missing.
• The search results don’t present the expiration date of the current certificates. This leads to two problems: first, that you cannot verify if a cert is expired and, second, that IAF CertSearch is filled with expired certificates. So you might be able to verify that a cert was issued, sure, but you have no idea if it’s actually current.

One of the biggest offenses is that there is no way to use IAF CertSearch actually to find companies that you might want to work with. Now, this wasn’t CertSearch’s original intent, but the data is already there, so that would become a huge benefit for the public. So:

• There is no way to search for ISO-certified companies in a given region
• There is no way to search for ISO-certified companies in a given industry
• There is no way to search for ISO-certified companies by IAF code

My God, So Much CAPTCHA!

The other problem speaks to IAF member paranoia. The CertSearch effort was derailed for a decade or more due to certification bodies, like BSI, really not wanting to participate in any global directory at all. They argued that doing so would allow competitors to “poach” their clients, and rather than provide good services that would retain their clients, folks like BSI instead fought against a public registry. Another factor was that the CBs really didn’t want IAF or anyone seeing their clients, since they were busy pumping out fake certs, too.

They lost that battle now, although the IAF still isn’t really mandating that CBs participate in CertSearch. They say it’s mandatory, but most CBs don’t participate, and the IAF  ignores it.

But that paranoia pops up when you try to do a search. Here is the search workflow:

1. Log in (you can’t search without having created an account)
2. Enter password
3. Enter six-digit code sent to your email
4. Enter CAPTCHA
5. Enter your search
6. Enter 2nd CAPTCHA
7. Don’t do more than 10 searches, because you will be booted out

That is an awful lot of security to access a search feature that barely works, and for data that isn’t nearly complete. But it makes sense when you realize Quality Trade was kowtowing to BSI and others, trying to prevent companies from scraping the data. Quality Trade also had the harebrained idea they could sell the data to big data-crunching houses, which I’m pretty sure has never happened. But I guess if you want to buy half-stale, mostly inaccurate information on ISO certificates, Quality Trade will take your money.

So both Certsearch and UKAS’ CertCheck are woefully bad, wholly inadequate for real-world use, and do nothing to stop the flow of fake certificates.

Official Secrets Act

IAF’s bizarre obsession with secrecy over transparency and traceability doesn’t end there. Some searches just full-on refuse to give a proper response in the name of “confidentiality.” In searching for the certification status for a company called “Expansia,” which operates out of New Hampshire, CertSearch had no record at all (more on that later.) But they did have a record for an unrelated South Korean company called “Expansia LLC,” but for which the certification data was redacted for some reason.

It says to contact the CB, but the CB is also hidden, so who do you contact? Below that text is a form to contact the CB, and it does offer a drop-down list that reveals the CB as “ICR Co., Ltd.“, whom I never heard of.

I had to do another search entirely to find out who exactly “ICR” is and if they are accredited at all. It seems that, yes, they are accredited by IAS:

That’s a whole lot of effort to verify a cert, which is literally what CertSearch is supposed to let you do, but which — in the end — it doesn’t.

Missing Data

The biggest problem, of course, is that despite outright lies to the contrary, IAF Certsearch is still woefully unpopulated with data. In short, you have a high likelihood of not finding a fully valid cert even if it exists because the IAF member accreditation bodies are not enforcing the use of CertSearch at all. You know, despite being told it’s “mandatory.”

I found that the international certification body LRQA (formerly Lloyd’s) doesn’t appear to be uploading its data at all into CertSearch, for example. they have a listing for their various offices under the “Certification Body” listings, but every search I did to verify one of their certs came up blank.

Here’s another weird bug, but one that is probably a feature: the database can keep a record of your searches, but only if they actually produce a result. So I have a search history showing 100% completion rate (all searches produced a result), but the system doesn’t record al the searches that come up blank. That’s annoying, but it also likely skews the dashboard data for the IAF itself. no doubt some clown is saying, “We get 100% return rate on all searches!” So that makes it hard for me to prove my point with evidence. Hard, but not impossible.

Here are a few examples.

The company Absolicon issued a press release about its ISO 9001 certificate. Here is what CertSearch reports when searching for it”

Let’s repeat. Another company, Schroeder & Associés, published a press release saying they have already been ISO certified for some time. Here is the CertSearch result:

Ditto for Redline Campers (press release here):

And LTG Cargo (press release here):

Is It Working?

So, perhaps CertSearch is working, and all those searches I made above were for fake certs that don’t belong in the database? Of course not. For the next set of searches, I manually verified each certificate through alternative means and confirmed they were not in CertSearch.

For FLAG Logistics (press release here), I wrote to them to verify their claims. They told me they are certified by LRQA under the name “FLAG SPC.” That name appears on their cert and should appear in CertSearch, but doesn’t:

The company Wallwork holds an active ISO 9001 certificate from BSI, which I was able to get from their website:

You would think BSI would cooperate with IAF CertSearch. You’d be wrong:

The company website for Kraiburg  shows their ISO 9001 certification body is Quality Austria, accredited by an IAF member.

Despite a press release saying its German operations are ISO 50001 certified and “all international sites” (including those in USA) are ISO 9001 certified, a search for “Kraiburg TPE” only results in a single entry from another company entirely in China. None of the Kraiburg TPE site certifications are included:

And it goes on and on.

Laundry List of Problems

So, to recap:

• Certsearch doesn’t report valid certificates
• Certsearch will report questionable certificates
• You can’t search for certified companies, only for certificates
• Does not report IAF industry codes
• Does not show actual cert
• Does not show if certificate is expired or not
• Participation by CBs and ABS in CertSearch is very, very poor and entirely unenforced
• Search feature is crippled to honor the CBs’ paranoid delusions
• Security is a bit overcaffeinated, given the site doesn’t really work

But IAF is still a master at providing protection racket services if you dare file a complaint against any CB or AB under their oversight. Do that, and suddenly all the gears start moving to shut down the complaint, harass the whistleblower, and cover up fraud and crime. That they are good at.