Thanks, Jeff, very clear. We will discuss on our teleconference tomorrow. From: Jeff Ward [mailto:[email protected]] Sent: Wednesday, July 5, 2017 9:02 PM To: Kirk Hall <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Subject: [EXTERNAL]RE: WebTrust for CA - New Criteria for CABF's Consideration
Hi Kirk, thanks for the note. To clarify, we are asking the CABF to approve the suggested criteria to WebTrust for Certification Authorities, which will be added to existing v2.1 criteria. We are not proposing these be added to the BRs. We are asking the CABF to review and approve the criteria to go into this version. These changes address issues/events that are more common today but are not contemplated in the current v2.0. The criteria in 2.0 are based on ISO21188. These additions and changes would help keep the WT criteria relevant in today's environment. Our WebTrust Task Force is not in the business of creating criteria, as we base our audit procedures on frameworks that are publicly available. The CABF meets this definition so having you approve these changes will allow us to include them in our criteria originally created from the ISO standard. Please let me know if I can clarify further. Thanks Kirk. Jeff Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH Office Managing Partner & National Managing Partner Third Party Attestation Services 314-889-1220 (Direct) 347-1220 (Internal) 314-889-1221 (Fax) [email protected]<mailto:[email protected]> BDO 101 S Hanley Rd, #800 St. Louis, MO 63105 UNITED STATES 314-889-1100 www.bdo.com<http://www.bdo.com> Please consider the environment before printing this e-mail [BDOC Networking Award] From: Kirk Hall [mailto:[email protected]] Sent: Wednesday, July 5, 2017 1:16 PM To: Jeff Ward <[email protected]<mailto:[email protected]>>; CA/Browser Forum Public Discussion List <[email protected]<mailto:[email protected]>> Subject: WebTrust for CA - New Criteria for CABF's Consideration Attention: This email was sent from someone outside of BDO USA. Always use caution when opening attachments or clicking links from unknown senders or when receiving unexpected emails. Jeff - I apologize for my slowness in responding. As to your message below (and attachment) - the WebTrust for CAs Task Force is asking us to add appropriate language to the BRs to add the requirements shown in the attached draft for WebTrust for CAs (NOT for BR WebTrust), and the proposal is to modify existing WTCA Sec. 5 and add new WTCA Sec. 9 and 10 - correct? I'm guessing any changes would have to go into the BRs, as that's the only clear place to put them. Do you (and/or the Task Force) want some time to discuss in more detail why you want the added criteria? Your explanation below is pretty good, but let us know if you have seen specific problems that will help us craft language. We will discuss on our call tomorrow whether this should be a ballot from a Working Group, or whether a few of us should simply deconstruct your WTCA language and create a ballot directly. Thanks. From: Jeff Ward [mailto:[email protected]] Sent: Friday, June 23, 2017 10:22 AM To: [email protected]<mailto:[email protected]> Cc: Kirk Hall <[email protected]<mailto:[email protected]>>; Ben Wilson <[email protected]<mailto:[email protected]>> Subject: [EXTERNAL]WebTrust for CA - New Criteria for CABF's Consideration As mentioned during our presentation at the face-to-face meeting in Berlin, the WebTrust for Certification Authorities Task Force has proposed new criteria be added to WebTrust for Certification Authorities to be included in a new version, 2.1. The changes are to cover event based activities that are not currently addressed in the WebTrust criteria and would add consistency in their treatment for auditors and CAs alike. Since they are event based, they should not cause any concerns for CAs when they become effective. Specifically, the added criteria relate to the following: 4.5 CA Key Archival and Destruction 4.9 CA Key Transportation 4.10 CA Key Migration Please see the attached document. It is in a tracked changes format so you can see what new criteria we are suggesting in 4.5, as well as the addition of sections 4.9 and 4.10. The criteria that are included today are based on ISO 21188. Since these proposed changes are not part of that standard, we need a public group (CABF qualifies as such) to approve the criteria. We would appreciate the CABF's review and balloting to approve these changes as soon as possible so we can release the new version, 2.1. Please let me know if you have any questions. On behalf of the WebTrust for Certification Authorities Task Force, Jeff Ward Chairman Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH Office Managing Partner & National Managing Partner Third Party Attestation Services (SOC/WebTrust/Cybersecurity) 314-889-1220 (Direct) 347-1220 (Internal) 314-889-1221 (Fax) [email protected]<mailto:[email protected]> BDO 101 S Hanley Rd, #800 St. Louis, MO 63105 UNITED STATES 314-889-1100 www.bdo.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bdo.com&data=02%7C01%7Cjfward%40bdo.com%7Cd19c37bf88614ed84eda08d4c3d1e954%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636348753731915754&sdata=4sLoKo1RAbcQFTfO4PKObspRlpH%2Fa%2Fc4%2F3dObqYKuOY%3D&reserved=0> Please consider the environment before printing this e-mail [BDOC Networking Award]
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
