On 19/4/2018 7:35 μμ, Tim Hollebeek wrote:
Might as well fix all the audit references while we’re at it …
-Tim
Yes, we should take care of all criteria versions as I mentioned in
replying to Peter, and allow for newer versions as well. For this
particular issue of WebTrust for CAs, according to
http://www.webtrust.org/principles-and-criteria/item83172.aspx, it seems
that 2.0 is actively used for audit periods that begin before Nov 1,
2017. If I understand this correctly, we would be able to remove 2.0
from the Baseline Requirements only after Nov 1, 2018.
Is this correct?
Dimitris.
*From:*Public [mailto:[email protected]] *On Behalf Of *Jeff
Ward via Public
*Sent:* Thursday, April 19, 2018 9:34 AM
*To:* Ryan Sleevi <[email protected]>; CA/Browser Forum Public
Discussion List <[email protected]>; Dimitris Zacharopoulos
<[email protected]>
*Subject:* Re: [cabfpub] Ballot proposal - Update Section 8.4 for CA
audit criteria
Not sure if it matters a great deal, but the reference to WebTrust for
CA should be version 2.1, not 2.0.
*Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH*
Office Managing Partner & National Leader Third Party Attestation
(SOC/WebTrust/Cybersecurity)
314-889-1220 (Direct) 347-1220 (Internal)
314-889-1221 (Fax)
[email protected] <mailto:[email protected]>
*BDO*
101 S Hanley Rd, Suite 800
St. Louis, MO 63105
UNITED STATES
314-889-1100
_www.bdo.com <http://www.bdo.com>_
/Please consider the environment before printing this e-mail/
*From:*Public [mailto:[email protected]] *On Behalf Of *Ryan
Sleevi via Public
*Sent:* Monday, April 16, 2018 9:21 AM
*To:* Dimitris Zacharopoulos <[email protected]
<mailto:[email protected]>>; CA/Browser Forum Public Discussion List
<[email protected] <mailto:[email protected]>>
*Subject:* Re: [cabfpub] Ballot proposal - Update Section 8.4 for CA
audit criteria
/*Attention: This email was sent from someone outside of BDO USA.
Always use caution when opening attachments or clicking links from
unknown senders or when receiving unexpected emails.*/
On Sun, Apr 15, 2018 at 2:18 AM, Dimitris Zacharopoulos via Public
<[email protected] <mailto:[email protected]>> wrote:
I am looking for two endorsers for the following ballot.
Dimitris.
*Ballot XXX - Update Section 8.4 for CA audit criteria*
The following motion has been proposed by Dimitris Zacharopoulos
of HARICA and endorsed by ___ and ___
*Background*:
Section 8.4 of the Baseline Requirements describes the audit
criteria for CAs that issue Publicly-Trusted SSL/TLS Certificates.
This ballot attempts to achieve two things:
1. Remove the old ETSI TS documents
2. Align the WebTrust
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cabforum.org%2Fwiki%2FWebTrust&data=02%7C01%7Cjward%40bdo.com%7Cefc0815200a54f92dbf908d5a3a571a5%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636594853327607164&sdata=8xxyL5y4ru1ryYPo35ybbZcRfoYyoFJqbSNpNNqgDZE%3D&reserved=0>
and ETSI requirements
"WebTrust
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cabforum.org%2Fwiki%2FWebTrust&data=02%7C01%7Cjward%40bdo.com%7Cefc0815200a54f92dbf908d5a3a571a5%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636594853327607164&sdata=8xxyL5y4ru1ryYPo35ybbZcRfoYyoFJqbSNpNNqgDZE%3D&reserved=0>
for Certification Authorities" is equivalent to "ETSI EN 319 401"
and "WebTrust
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cabforum.org%2Fwiki%2FWebTrust&data=02%7C01%7Cjward%40bdo.com%7Cefc0815200a54f92dbf908d5a3a571a5%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636594853327607164&sdata=8xxyL5y4ru1ryYPo35ybbZcRfoYyoFJqbSNpNNqgDZE%3D&reserved=0>
Principles and Criteria for Certification Authorities – SSL
Baseline with Network Security" is the equivalent of "ETSI EN 319
411-1".
*-- MOTION BEGINS --*
Replace the first two numbered items in section 8.4 of the
Baseline Requirements from:
1. WebTrust
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cabforum.org%2Fwiki%2FWebTrust&data=02%7C01%7Cjward%40bdo.com%7Cefc0815200a54f92dbf908d5a3a571a5%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636594853327607164&sdata=8xxyL5y4ru1ryYPo35ybbZcRfoYyoFJqbSNpNNqgDZE%3D&reserved=0>
for Certification Authorities v2.0;
2. A national scheme that audits conformance to ETSI TS 102 042 /
ETSI EN 319 411-1; or
to:
1. WebTrust
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cabforum.org%2Fwiki%2FWebTrust&data=02%7C01%7Cjward%40bdo.com%7Cefc0815200a54f92dbf908d5a3a571a5%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636594853327763420&sdata=nF1OV4mtZ2VQF6ucGxisGOgndqhfDJYULFK4ZGNpOr4%3D&reserved=0>
Principles and Criteria for Certification Authorities – SSL
Baseline with Network Security;
2. A national scheme that audits conformance to ETSI EN 319 411-1; or
As noted several times that this has come up in the past, your
proposed change to #1 is meaningfully and substantially different than
what is currently required. You are proposing *changing* the audit
scheme to a more restrictive set. That's something in the past that
browsers have objected to, and for good reason.
/*BDO USA, LLP, a Delaware limited liability partnership, is the U.S.
member of BDO International Limited, a UK company limited by
guarantee, and forms part of the international BDO network of
independent member firms. */*/
/BDO is the brand name for the BDO network and for each of the BDO
Member Firms./
/IMPORTANT NOTICES/
/The contents of this email and any attachments to it may contain
privileged and confidential information from BDO USA, LLP. This
information is only for the viewing or use of the intended recipient.
If you are not the intended recipient, you are hereby notified that
any disclosure, copying, distribution or use of, or the taking of any
action in reliance upon, the information contained in this e-mail, or
any of the attachments to this e-mail, is strictly prohibited and that
this e-mail and all of the attachments to this e-mail, if any, must be
immediately returned to BDO USA, LLP or destroyed and, in either case,
this e-mail and all attachments to this e-mail must be immediately
deleted from your computer without making any copies hereof. If you
have received this e-mail in error, please notify BDO USA, LLP by
e-mail immediately.//*
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
