On 29/1/2019 4:56 μ.μ., Ryan Sleevi wrote:
On Tue, Jan 29, 2019 at 2:18 AM Dimitris Zacharopoulos
<[email protected] <mailto:[email protected]>> wrote:
On 28/1/2019 8:48 μ.μ., Ryan Sleevi via Public wrote:
On Thu, Jan 24, 2019 at 2:30 PM Dimitris Zacharopoulos (HARICA)
via Public <[email protected] <mailto:[email protected]>> wrote:
On 24/1/2019 8:16 μ.μ., Wayne Thayer via Public wrote:
On today's call we discussed a number of changes to the
bylaws aimed at clarifying the rules for membership. The
proposal for section 2.1(a)(1) resulting from today's
discussion is:
Certificate Issuer: The member organization operates a
certification authority that has a publicly-available
audit report or attestation statement that meets the
following requirements:
* Is based on the full, current version of the WebTrust
for CAs, ETSI EN 319 411-1 , or ETSI EN 319 411-2 audit
criteria
Using the example reports for discussion (
http://www.webtrust.org/practitioner-qualifications/docs/item85808.pdf )
If a CA does not escrow CA keys, does not provide subscriber key
generation services, or suspension services, does that count as
being based on the "full, current version"? (Page 11, paragraph 2)
I think so, yes. Based on the exact CA operations, the exact audit
scope is determined. The Forum has set the WebTrust for CAs and
ETSI EN 319 411-1 as an absolute minimum that includes attestation
of the existence of reasonable organizational and technical
controls. If you recall, I had proposed that for the SCWG we
should also require WebTrust for CAs Baseline and NetSec because
they are already included in ETSI EN 319 411-1 and are more
suitable for SSL/TLS Certificates. If a CA obtains a WebTrust for
CAs or ETSI EN 319 411-1 audit report, it means that the core CA
services are there and are operational.
I don't believe this is a correct understanding. By highlighting that
it's acceptable to carve out the scope, you're seemingly acknowledging
that it's acceptable to take subsets of the audit criteria. For
example, if I provided an audit for the physical security controls of
my data center against the WebTrust for CAs criteria, is that
sufficient for membership as a CA?
This isn't theoretical; at least one CA member provides such audits,
as they use such a third-party datacenter. If the datacenter provided
just their report, would they qualify? If they don't, then what is the
property that we're trying to achieve, and why, so that we can do it?
Would this WebTrust for CAs audit report be sufficient for acceptance in
a Root Program? I don't think so. All these years, CA/B Forum Members
have been accepted by providing WebTrust for CAs and ETSI reports that
include core PKI procedures. What you describe is probably an exception
and we can decide how to handle this exception if in fact we ever
receive an application for participation in a WG with a WebTrust for CAs
audit report scoping just the physical security of a Datacenter. I'm
hope that CA had other WebTrust for CAs reports for their other operations.
Root programs have audit requirements exceptions and this applies
equally to Microsoft and Mozilla. I don't disagree to being more
inclusive but I believe the Forum must have objective and specific
requirements based on some international standards and not just
government regulations.
Then by this goal, I don't believe our current membership criteria
meet this. For example, a qualified auditor is determined by...
government regulations in the case of ETSI. Does that mean we should
exclude ETSI audits from the scope? Or should we allow CABs that are
not accredited by the NABs?
This doesn't make a lot of sense. NABs are not Supervisory Bodies. It's
different. I was referring to government audit schemes for CAs where a
certain government unit audits a CA under national criteria.
I realize it may seem like I'm being difficult, but I think there's a
core piece missing, which is trying to understand why it's important
for some members to exclude some other CAs that have had long-standing
operations. This is particularly relevant for the discussion of the
S/MIME charter, in which there is significant and extant set of
'trusted' certificates, in a variety of software, that does not meet
the criteria for participation. They would be excluded from
participating in engaging or drafting the new criteria, by virtue of
the Forum membership criteria, and I think that's something we should
be thinking very carefully about and articulating what properties we
expect of CAs and why.
IMHO we need audit requirements that have undergone enough scrutiny and
quality assurance. International standards like ISO, WebTrust and ETSI
have such a process which provides better assurance for the audit
outcome. That's my personal view. We can always listen to other schemes
and we would welcome input from governments (as Interested Parties) if
they choose to participate. If these schemes became so useful and
comparable with existing international schemes, then the S/MIME Working
Group could decide to add those schemes in the criteria for Membership
and possibly in the produced Guidelines.
* Covers a period of at least 60 days
I'm curious for feedback from the ETSI folks, but perhaps a more
inclusive definition would be
- "Reports on the operational effectiveness of controls for a
historic period of at least 60 days"
The context being that ETSI is a certification scheme, but as
part of that certification, the CAB "may" ("should") examine the
historic evidence for some period of time. 7.9 of 319 403 only
requires "since the previous audit"
I am not representing ETSI or ACAB'c but if there are concerns
with this requirement we can solve this issue using the language
proposed by Wayne "Covers a period of at least 60 days". I would
use "Covers a period of operations of at least 60 days".
I'm not sure what this is a response to. I was pointing out the issues
with the language proposed by Wayne and why it's insufficient, so it's
not clear to me how you've resolved that.
This was in response to an audit that covers at least 60 days of
operations. You argued that the ETSI scheme doesn't specifically mandate
a minimum audit period before issuing an audit report. In practice, CABs
use 60-90 days but it's not written in ETSI EN 319 403. Wayne's proposal
attempts to add this in the requirements so it's clear that we are
always talking about a period-of-time audit report for WebTrust and ETSI.
I hope it's clearer now.
Dimitris.
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
