Jeff - I apologize for my slowness in responding. As to your message below (and attachment) - the WebTrust for CAs Task Force is asking us to add appropriate language to the BRs to add the requirements shown in the attached draft for WebTrust for CAs (NOT for BR WebTrust), and the proposal is to modify existing WTCA Sec. 5 and add new WTCA Sec. 9 and 10 - correct?
I'm guessing any changes would have to go into the BRs, as that's the only clear place to put them. Do you (and/or the Task Force) want some time to discuss in more detail why you want the added criteria? Your explanation below is pretty good, but let us know if you have seen specific problems that will help us craft language. We will discuss on our call tomorrow whether this should be a ballot from a Working Group, or whether a few of us should simply deconstruct your WTCA language and create a ballot directly. Thanks. From: Jeff Ward [mailto:[email protected]] Sent: Friday, June 23, 2017 10:22 AM To: [email protected] Cc: Kirk Hall <[email protected]>; Ben Wilson <[email protected]> Subject: [EXTERNAL]WebTrust for CA - New Criteria for CABF's Consideration As mentioned during our presentation at the face-to-face meeting in Berlin, the WebTrust for Certification Authorities Task Force has proposed new criteria be added to WebTrust for Certification Authorities to be included in a new version, 2.1. The changes are to cover event based activities that are not currently addressed in the WebTrust criteria and would add consistency in their treatment for auditors and CAs alike. Since they are event based, they should not cause any concerns for CAs when they become effective. Specifically, the added criteria relate to the following: 4.5 CA Key Archival and Destruction 4.9 CA Key Transportation 4.10 CA Key Migration Please see the attached document. It is in a tracked changes format so you can see what new criteria we are suggesting in 4.5, as well as the addition of sections 4.9 and 4.10. The criteria that are included today are based on ISO 21188. Since these proposed changes are not part of that standard, we need a public group (CABF qualifies as such) to approve the criteria. We would appreciate the CABF's review and balloting to approve these changes as soon as possible so we can release the new version, 2.1. Please let me know if you have any questions. On behalf of the WebTrust for Certification Authorities Task Force, Jeff Ward Chairman Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH Office Managing Partner & National Managing Partner Third Party Attestation Services (SOC/WebTrust/Cybersecurity) 314-889-1220 (Direct) 347-1220 (Internal) 314-889-1221 (Fax) [email protected]<mailto:[email protected]> BDO 101 S Hanley Rd, #800 St. Louis, MO 63105 UNITED STATES 314-889-1100 www.bdo.com<http://www.bdo.com> Please consider the environment before printing this e-mail [BDOC Networking Award]
WT4CA Controls 4.5 4.9 and 4.10.docx
Description: WT4CA Controls 4.5 4.9 and 4.10.docx
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
