Kirk, This is very comprehensive and detailed, nice work to those involved!. I have two minor questions.
Item 4.5.13 says: "The CA follows a CA key destruction script for key destruction ceremonies that includes the following:" (then lists 8 numbered items). - Are all 8 of these items REQUIRED as part of the script, or is this a guide that you "should" include them if they are applicable? The reason I ask is that you might destroy keys without zeroization of the HSM. This section seems more focused on how to destroy HSMs vs keys, is that the intent of 4.9.5? If so, then maybe a different intro sentence might be needed to indicate that. Also, item e) isn't totally clear about what is needed or recorded: "physical security requirements for the ceremony location (e.g., barriers, access controls and logging controls);" Item 4.9.5 says this regarding transport of key fragments: "if transported by common carrier, each fragment is sent using a different common carrier at different times. Shipments require signature service, tracking, and are insured." - Is using a different common carrier for each fragment a requirement? There may not be a sufficient number of reliable carriers with these requirements to ship all fragments. Doug From: Public [mailto:[email protected]] On Behalf Of Kirk Hall via Public Sent: Thursday, August 3, 2017 4:45 PM To: CA/Browser Forum Public Discussion List <[email protected]> Subject: [cabfpub] Need two endorsers for Ballot 211 - Resolution of Approval for WTCA v2.1 Changes Per our discussion on the CA/Browser Forum teleconference today, here is Ballot 211. Are there two endorsers for this? BALLOT 211 - Resolution of Approval for WTCA v2.1 Changes Type of Ballot: Resolution of Approval of Forum Members only, and not a Draft Guideline Ballot or Final Maintenance Guideline Ballot. The following motion has been proposed by Kirk Hall of Entrust Datacard and endorsed by the following CA/B Forum member representatives: XXXX and YYYY to introduce a Resolution of Approval for WebTrust for CAs v2.1 Changes, as described in the Ballot. Purpose of Ballot: The WebTrust Task Force (TF) is ready to adopt changes to WebTrust for CAs Sec. 4.5 on CA key archival and destruction and new sections 4.9 and 4.10 on CA key transportation and CA key migration, as it has been seeing a number of open questions in those areas. However the Task Force does not ordinarily create draft requirements, but instead typically relies on requirements from other credible sources (such as ISO 21188 for the original WebTrust for CAs in 2000) and then creates related audit criteria. The Task Force has not asked the Forum to add the Sec. 4.5-4.10 changes to the Baseline Requirements or adopt them in a new formal Forum requirements document, but would like the Forum to formally approve the new audit criteria in a Forum Ballot. This Ballot was drafted in response. --Motion Begins-- RESOLUTION OF APPROVAL The Members of the CA/Browser Forum have reviewed the proposed changes to the language of Section 4.5 and the new language of Sections 4.9 and 4.10 in the draft Trust Service Principles and Criteria for Certification Authorities (also known as WebTrust for CAs) version 2.1, and hereby APPROVE the changes and new language and recommend that they be ADOPTED by the WebTrust Task Force (as the language in these sections may be changed from time to time by the WebTrust Task Force in the future, in the Task Force's sole discretion) in the final version of WebTrust for CAs version 2.1 and subsequent versions. --Motion Ends-- BALLOT 211 - Resolution of Approval for WTCA v2.1 Changes Start time (22:00 UTC) End time (22:00 UTC) Discussion (7 to 14 calendar days) [date] [date] Vote for approval (7 calendar days) [date] [date] If vote approves ballot: Review Period - Not applicable.
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
