On 28/1/2019 8:48 μ.μ., Ryan Sleevi via Public wrote:
On Thu, Jan 24, 2019 at 2:30 PM Dimitris Zacharopoulos (HARICA) via
Public <[email protected] <mailto:[email protected]>> wrote:
On 24/1/2019 8:16 μ.μ., Wayne Thayer via Public wrote:
On today's call we discussed a number of changes to the bylaws
aimed at clarifying the rules for membership. The proposal for
section 2.1(a)(1) resulting from today's discussion is:
Certificate Issuer: The member organization operates a
certification authority that has a publicly-available audit
report or attestation statement that meets the following
requirements:
* Is based on the full, current version of the WebTrust for
CAs, ETSI EN 319 411-1 , or ETSI EN 319 411-2 audit criteria
Using the example reports for discussion (
http://www.webtrust.org/practitioner-qualifications/docs/item85808.pdf )
If a CA does not escrow CA keys, does not provide subscriber key
generation services, or suspension services, does that count as being
based on the "full, current version"? (Page 11, paragraph 2)
I think so, yes. Based on the exact CA operations, the exact audit scope
is determined. The Forum has set the WebTrust for CAs and ETSI EN 319
411-1 as an absolute minimum that includes attestation of the existence
of reasonable organizational and technical controls. If you recall, I
had proposed that for the SCWG we should also require WebTrust for CAs
Baseline and NetSec because they are already included in ETSI EN 319
411-1 and are more suitable for SSL/TLS Certificates. If a CA obtains a
WebTrust for CAs or ETSI EN 319 411-1 audit report, it means that the
core CA services are there and are operational.
Root programs have audit requirements exceptions and this applies
equally to Microsoft and Mozilla. I don't disagree to being more
inclusive but I believe the Forum must have objective and specific
requirements based on some international standards and not just
government regulations.
* Covers a period of at least 60 days
I'm curious for feedback from the ETSI folks, but perhaps a more
inclusive definition would be
- "Reports on the operational effectiveness of controls for a historic
period of at least 60 days"
The context being that ETSI is a certification scheme, but as part of
that certification, the CAB "may" ("should") examine the historic
evidence for some period of time. 7.9 of 319 403 only requires "since
the previous audit"
I am not representing ETSI or ACAB'c but if there are concerns with this
requirement we can solve this issue using the language proposed by Wayne
"Covers a period of at least 60 days". I would use "Covers a period of
operations of at least 60 days".
* Covers a period that ends within the past 15 months
This may also be resting on the BR definition of Audit Period. I can
see similar ambiguities arising with respect to ETSI and that its
certification decisions last two years, not one, thus it might cause a
CA to believe that they have up to three years from first completing
their audit (that is, if the letter is issued at T=2 years, covering
T=0 to T=2, and is valid to T=4 years, then the CA may believe it's
covered until T=5 years and 3 months)
There's also the potential of surveillance audits conducted over
specific issues being resolved, without being a full recertification
(e.g. if the CAB classified it as a minor non-conformity)
"With no more than 27 months having elapsed since the beginning of the
reported-on period and no more than 15 months since the end of the
reported-on period"
It's a mouthful, but perhaps there's a more concise way to capture
that unambiguously.
AFAIK, Microsoft still requires annual full audits even for non-SSL
certificate issuance. In any case, I prefer a mouthful than an ambiguous
requirement.
Dimitris.
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
