[cabfpub] Trust Services Forum / CA Day 2019 - Save The Date!

2019-06-18 Thread Dimitris Zacharopoulos (HARICA) via Public 

F.Y.I.





Dear colleagues,

This email is to notify you about two events related to trust services 
that will take place on the 25^th and 26^th of September in Berlin.


On the 25^th September, the EU Agency for Network and Information 
Security (ENISA) in collaboration with the European Commission is 
organizing, for the fifth consecutive year, the Trust Services Forum. 
As in the previous years, it will focus on emerging issues related to 
trust services across Europe, in the period of the first review of the 
application of the eIDAS Regulation.


The Forum aims to:

• Share good practices and experience on the implementation of trust 
services;


• Discuss the latest developments on the framework surrounding trust 
service providers including standards, implementing acts and technical 
guidelines;


• Exchange views on identified implementation and operational issues 
of qualified trust services;


• Discuss strategies to promote the adoption of qualified trust services.

On the 26^th September the Bundesdruckerei/D-TRUST, in cooperation 
with TÜViT will hold the eleventh CA-Day on the subject of 
"Identification, Authentication and Trust Services: does it now fit 
together?" This event offers presentations by international speakers 
on eIDAS compliant Identification schemes, Trust Services, relevant 
ETSI/CEN Norms, audit strategies and additionally the acceptance by 
the global software vendors.


Please save the date, in the next coming weeks we will open the 
registrations and inform you accordingly.


Please accept our apologies in case of multiple mailing. We're looking 
very much forward to seeing you at both events!


ENISA eIDAS team

Bundesdruckerei/D-TRUST

You received this email because you declared interest in ENISA 
activities in the past. Should you wish not to receive such 
notifications, please let us know, we’ll immediately delete your email 
address.


___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Audits and RAs

2019-06-18 Thread Jeff Ward via Public 
Your comments on WebTrust for RA Dimitris are accurate.  No new criteria were 
created.  We did in fact extract RA type activities in the other WebTrust 
services and incorporated them into a new standalone version.

Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH
National Managing Partner Third Party Attestation (SOC/WebTrust/Cybersecurity)
314-889-1220 (Direct)347-1220 (Internal)
314-387-0189 (Mobile)
jw...@bdo.com

BDO
101 S Hanley Rd, Suite 800
St. Louis, MO 63105
UNITED STATES
314-889-1100
www.bdo.com

Please consider the environment before printing this e-mail
From: Public  On Behalf Of Dimitris Zacharopoulos 
(HARICA) via Public
Sent: Tuesday, June 18, 2019 2:28 PM
To: CA/Browser Forum Public Discussion List 
Subject: Re: [cabfpub] Audits and RAs

Attention: This email was sent from someone outside of BDO USA. Always use 
caution when opening attachments or clicking links from unknown senders or when 
receiving unexpected emails.

I believe we discussed this at the CA/B Forum meeting in Cupertino where it was 
explained that an RA can be audited with the existing ETSI/WebTrust criteria by 
only listing the necessary criteria relevant to RA operations. So, for the ETSI 
example, an RA would be audited against ETSI EN 319 411-1 by listing the most 
of the requirements of 319 401 and the relevant sections of 411-1 for RA 
operations. This scope would be clearly indicated in the attestation letter, 
allowing the CA to have an independent auditor's opinion of the RA operations 
of a delegated third party.

I believe WebTrust for RAs has made a great job of defining the relevant 
criteria and separating them in a different document. ETSI has done something 
similar by identifying "service components" in EN 319 411-1 (OVR, REG, REV, 
DIS, and so on).


Dimitris.
On 18/6/2019 8:51 μ.μ., Ryan Sleevi via Public wrote:


On Tue, Jun 18, 2019 at 1:35 PM Jeremy Rowley via Public 
mailto:public@cabforum.org>> wrote:
I think I heard the WebTrust auditors say last week that they have finished or 
nearly finished the WebTrust for RAs criteria. The language from Section 8.4 of 
the guidelines reads:

“For Delegated Third Parties which are not Enterprise RAs,, then the CA SHALL 
obtain an audit report, issued under the auditing standards that underlie the 
accepted audit schemes found in Section 8.1, that provides an opinion whether 
the Delegated Third Party’s performance complies with either the Delegated 
Third Party’s practice statement or the CA’s Certificate Policy and/or 
Certification Practice Statement. If the opinion is that the Delegated Third 
Party does not comply, then the CA SHALL not allow the Delegated Third Party to 
continue performing delegated functions.”

We know some CAs use RAs that are not audited under WebTrust/ETSI because 
“there is no appropriate audit standard”. Now that there is an audit standards, 
it seems to me this criteria goes into effect immediately and any RA not 
audited would cause the CA to be out of compliance with the BRs. No additional 
ballot required since the concept is already baked into the BRs.

Anyone have a different interpretation?  If not, when is the exact date that 
the audits should be done? Already?

TL;DR: Don't worry. I don't think there's an impending doom date.

Officially, Chrome is not planning to immediately enforce the WebTrust for RAs 
audit, and is still evaluating the most effective means to use and consume this.

For best results, however, don't use RAs ;)

Here's the alternative interpretation I'll over you:

The "auditing standards that underlie the accepted audit criteria" are, in the 
case of WebTrust, are SSAE 18 (US), CSAE 3000 - 3001 (CA), and ISAE 3000 
(elsewhere), with potentially jurisidiction-specific (self-?)regulatory 
requirements or modifications, similar to the US/CA harmonization with IFAC.

The "auditing standards that underlie the accepted audit criteria" are, for 
ETSI EN 319 411-1 and ETSI EN 319 403, either (depending on your perspective of 
"standard"), going to be seen as:
  a) ETSI EN 319 411-1 / ETSI EN 319 403
  b) ISO/IEC 17065

The former takes the view that the ETSI ESI documents are themselves the 
standards for auditing, in that they define a set of standards appropriate for 
"an" audit scheme, although absent the eIDAS Regulation lacks any normative 
guidance about who the defining authority is for the appropriate auditor 
(compared to IFAC and its constituent organizations, which does).

The latter takes the view that the ETSI ESI documents are themselves adopted 
from the ISO/IEC standards and guidance on the development of certification 
schemes (which covers a broad scheme of activities), and that any scheme 
derived from the principles of 17065 is suitably empowered. It, similarly, 
lacks the guidance as to who can perform the assessments, since that is the 
role of the scheme operator (e.g. EU in the case of eIDAS)

The "nice" thing about these interpretations is

Re: [cabfpub] Audits and RAs

2019-06-18 Thread Dimitris Zacharopoulos (HARICA) via Public 


I believe we discussed this at the CA/B Forum meeting in Cupertino where 
it was explained that an RA can be audited with the existing 
ETSI/WebTrust criteria by only listing the necessary criteria relevant 
to RA operations. So, for the ETSI example, an RA would be audited 
against ETSI EN 319 411-1 by listing the most of the requirements of 319 
401 and the relevant sections of 411-1 for RA operations. This scope 
would be clearly indicated in the attestation letter, allowing the CA to 
have an independent auditor's opinion of the RA operations of a 
delegated third party.


I believe WebTrust for RAs has made a great job of defining the relevant 
criteria and separating them in a different document. ETSI has done 
something similar by identifying "service components" in EN 319 411-1 
(OVR, REG, REV, DIS, and so on).



Dimitris.

On 18/6/2019 8:51 μ.μ., Ryan Sleevi via Public wrote:



On Tue, Jun 18, 2019 at 1:35 PM Jeremy Rowley via Public 
mailto:public@cabforum.org>> wrote:


I think I heard the WebTrust auditors say last week that they have
finished or nearly finished the WebTrust for RAs criteria. The
language from Section 8.4 of the guidelines reads:

“For Delegated Third Parties which are not Enterprise RAs,, then
the CA SHALL obtain an audit report, issued under the auditing
standards that underlie the accepted audit schemes found in
Section 8.1, that provides an opinion whether the Delegated Third
Party’s performance complies with either the Delegated Third
Party’s practice statement or the CA’s Certificate Policy and/or
Certification Practice Statement. If the opinion is that the
Delegated Third Party does not comply, then the CA SHALL not allow
the Delegated Third Party to continue performing delegated functions.”

We know some CAs use RAs that are not audited under WebTrust/ETSI
because “there is no appropriate audit standard”. Now that there
is an audit standards, it seems to me this criteria goes into
effect immediately and any RA not audited would cause the CA to be
out of compliance with the BRs. No additional ballot required
since the concept is already baked into the BRs.

Anyone have a different interpretation?  If not, when is the exact
date that the audits should be done? Already?


TL;DR: Don't worry. I don't think there's an impending doom date.

Officially, Chrome is not planning to immediately enforce the WebTrust 
for RAs audit, and is still evaluating the most effective means to use 
and consume this.


For best results, however, don't use RAs ;)

Here's the alternative interpretation I'll over you:

The "auditing standards that underlie the accepted audit criteria" 
are, in the case of WebTrust, are SSAE 18 (US), CSAE 3000 - 3001 (CA), 
and ISAE 3000 (elsewhere), with potentially jurisidiction-specific 
(self-?)regulatory requirements or modifications, similar to the US/CA 
harmonization with IFAC.


The "auditing standards that underlie the accepted audit criteria" 
are, for ETSI EN 319 411-1 and ETSI EN 319 403, either (depending on 
your perspective of "standard"), going to be seen as:

  a) ETSI EN 319 411-1 / ETSI EN 319 403
  b) ISO/IEC 17065

The former takes the view that the ETSI ESI documents are themselves 
the standards for auditing, in that they define a set of standards 
appropriate for "an" audit scheme, although absent the eIDAS 
Regulation lacks any normative guidance about who the defining 
authority is for the appropriate auditor (compared to IFAC and its 
constituent organizations, which does).


The latter takes the view that the ETSI ESI documents are themselves 
adopted from the ISO/IEC standards and guidance on the development of 
certification schemes (which covers a broad scheme of activities), and 
that any scheme derived from the principles of 17065 is suitably 
empowered. It, similarly, lacks the guidance as to who can perform the 
assessments, since that is the role of the scheme operator (e.g. EU in 
the case of eIDAS)


The "nice" thing about these interpretations is that for CAs that are 
concerned about being beyond reproach, but still make the 
(unfortunate) choice to make use of delegated third parties, they can 
read these requirements as using the relevant criteria from WebTrust 
or ETSI, under the existing supervisory scheme, and argue compliance. 
CAs that don't like to/don't want to know what their RAs are doing, 
and aren't as concerned about security, could reasonably argue that 
the applicability of the underlying standard means the CA defines what 
the expectations are (for example, an "Agreed Upon Procedures" report 
- which I'm sure Don and Jeff will jump in mentioning the CSAE 
limitations there), and then allow 'anyone' to perform that audit, 
modulo the IFAC standards with respect to professional licensure.




___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Audits and RAs

2019-06-18 Thread Jeff Ward via Public 
Ryan, you are correct.  WebTrust for RA has been completed, version 1.0 
effective April 30, 2019.  We are now in the process of finalizing the 
illustrative report.

Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH
National Managing Partner Third Party Attestation (SOC/WebTrust/Cybersecurity)
314-889-1220 (Direct)347-1220 (Internal)
314-387-0189 (Mobile)
jw...@bdo.com

BDO
101 S Hanley Rd, Suite 800
St. Louis, MO 63105
UNITED STATES
314-889-1100
www.bdo.com

Please consider the environment before printing this e-mail
From: Public  On Behalf Of Ryan Sleevi via Public
Sent: Tuesday, June 18, 2019 12:52 PM
To: Jeremy Rowley ; CA/Browser Forum Public 
Discussion List 
Subject: Re: [cabfpub] Audits and RAs

Attention: This email was sent from someone outside of BDO USA. Always use 
caution when opening attachments or clicking links from unknown senders or when 
receiving unexpected emails.


On Tue, Jun 18, 2019 at 1:35 PM Jeremy Rowley via Public 
mailto:public@cabforum.org>> wrote:
I think I heard the WebTrust auditors say last week that they have finished or 
nearly finished the WebTrust for RAs criteria. The language from Section 8.4 of 
the guidelines reads:

“For Delegated Third Parties which are not Enterprise RAs,, then the CA SHALL 
obtain an audit report, issued under the auditing standards that underlie the 
accepted audit schemes found in Section 8.1, that provides an opinion whether 
the Delegated Third Party’s performance complies with either the Delegated 
Third Party’s practice statement or the CA’s Certificate Policy and/or 
Certification Practice Statement. If the opinion is that the Delegated Third 
Party does not comply, then the CA SHALL not allow the Delegated Third Party to 
continue performing delegated functions.”

We know some CAs use RAs that are not audited under WebTrust/ETSI because 
“there is no appropriate audit standard”. Now that there is an audit standards, 
it seems to me this criteria goes into effect immediately and any RA not 
audited would cause the CA to be out of compliance with the BRs. No additional 
ballot required since the concept is already baked into the BRs.

Anyone have a different interpretation?  If not, when is the exact date that 
the audits should be done? Already?

TL;DR: Don't worry. I don't think there's an impending doom date.

Officially, Chrome is not planning to immediately enforce the WebTrust for RAs 
audit, and is still evaluating the most effective means to use and consume this.

For best results, however, don't use RAs ;)

Here's the alternative interpretation I'll over you:

The "auditing standards that underlie the accepted audit criteria" are, in the 
case of WebTrust, are SSAE 18 (US), CSAE 3000 - 3001 (CA), and ISAE 3000 
(elsewhere), with potentially jurisidiction-specific (self-?)regulatory 
requirements or modifications, similar to the US/CA harmonization with IFAC.

The "auditing standards that underlie the accepted audit criteria" are, for 
ETSI EN 319 411-1 and ETSI EN 319 403, either (depending on your perspective of 
"standard"), going to be seen as:
  a) ETSI EN 319 411-1 / ETSI EN 319 403
  b) ISO/IEC 17065

The former takes the view that the ETSI ESI documents are themselves the 
standards for auditing, in that they define a set of standards appropriate for 
"an" audit scheme, although absent the eIDAS Regulation lacks any normative 
guidance about who the defining authority is for the appropriate auditor 
(compared to IFAC and its constituent organizations, which does).

The latter takes the view that the ETSI ESI documents are themselves adopted 
from the ISO/IEC standards and guidance on the development of certification 
schemes (which covers a broad scheme of activities), and that any scheme 
derived from the principles of 17065 is suitably empowered. It, similarly, 
lacks the guidance as to who can perform the assessments, since that is the 
role of the scheme operator (e.g. EU in the case of eIDAS)

The "nice" thing about these interpretations is that for CAs that are concerned 
about being beyond reproach, but still make the (unfortunate) choice to make 
use of delegated third parties, they can read these requirements as using the 
relevant criteria from WebTrust or ETSI, under the existing supervisory scheme, 
and argue compliance. CAs that don't like to/don't want to know what their RAs 
are doing, and aren't as concerned about security, could reasonably argue that 
the applicability of the underlying standard means the CA defines what the 
expectations are (for example, an "Agreed Upon Procedures" report - which I'm 
sure Don and Jeff will jump in mentioning the CSAE limitations there), and then 
allow 'anyone' to perform that audit, modulo the IFAC standards with respect to 
professional licensure.




BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of 
BDO International Limited, a UK company limited by guarantee, and forms part of 
the

Re: [cabfpub] Audits and RAs

2019-06-18 Thread Ryan Sleevi via Public 
On Tue, Jun 18, 2019 at 1:35 PM Jeremy Rowley via Public <
public@cabforum.org> wrote:

> I think I heard the WebTrust auditors say last week that they have
> finished or nearly finished the WebTrust for RAs criteria. The language
> from Section 8.4 of the guidelines reads:
>
>
>
> “For Delegated Third Parties which are not Enterprise RAs,, then the CA
> SHALL obtain an audit report, issued under the auditing standards that
> underlie the accepted audit schemes found in Section 8.1, that provides an
> opinion whether the Delegated Third Party’s performance complies with
> either the Delegated Third Party’s practice statement or the CA’s
> Certificate Policy and/or Certification Practice Statement. If the opinion
> is that the Delegated Third Party does not comply, then the CA SHALL not
> allow the Delegated Third Party to continue performing delegated functions.”
>
>
>
> We know some CAs use RAs that are not audited under WebTrust/ETSI because
> “there is no appropriate audit standard”. Now that there is an audit
> standards, it seems to me this criteria goes into effect immediately and
> any RA not audited would cause the CA to be out of compliance with the BRs.
> No additional ballot required since the concept is already baked into the
> BRs.
>
>
>
> Anyone have a different interpretation?  If not, when is the exact date
> that the audits should be done? Already?
>

TL;DR: Don't worry. I don't think there's an impending doom date.

Officially, Chrome is not planning to immediately enforce the WebTrust for
RAs audit, and is still evaluating the most effective means to use and
consume this.

For best results, however, don't use RAs ;)

Here's the alternative interpretation I'll over you:

The "auditing standards that underlie the accepted audit criteria" are, in
the case of WebTrust, are SSAE 18 (US), CSAE 3000 - 3001 (CA), and ISAE
3000 (elsewhere), with potentially jurisidiction-specific
(self-?)regulatory requirements or modifications, similar to the US/CA
harmonization with IFAC.

The "auditing standards that underlie the accepted audit criteria" are, for
ETSI EN 319 411-1 and ETSI EN 319 403, either (depending on your
perspective of "standard"), going to be seen as:
  a) ETSI EN 319 411-1 / ETSI EN 319 403
  b) ISO/IEC 17065

The former takes the view that the ETSI ESI documents are themselves the
standards for auditing, in that they define a set of standards appropriate
for "an" audit scheme, although absent the eIDAS Regulation lacks any
normative guidance about who the defining authority is for the appropriate
auditor (compared to IFAC and its constituent organizations, which does).

The latter takes the view that the ETSI ESI documents are themselves
adopted from the ISO/IEC standards and guidance on the development of
certification schemes (which covers a broad scheme of activities), and that
any scheme derived from the principles of 17065 is suitably empowered. It,
similarly, lacks the guidance as to who can perform the assessments, since
that is the role of the scheme operator (e.g. EU in the case of eIDAS)

The "nice" thing about these interpretations is that for CAs that are
concerned about being beyond reproach, but still make the (unfortunate)
choice to make use of delegated third parties, they can read these
requirements as using the relevant criteria from WebTrust or ETSI, under
the existing supervisory scheme, and argue compliance. CAs that don't like
to/don't want to know what their RAs are doing, and aren't as concerned
about security, could reasonably argue that the applicability of the
underlying standard means the CA defines what the expectations are (for
example, an "Agreed Upon Procedures" report - which I'm sure Don and Jeff
will jump in mentioning the CSAE limitations there), and then allow
'anyone' to perform that audit, modulo the IFAC standards with respect to
professional licensure.
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

[cabfpub] Audits and RAs

2019-06-18 Thread Jeremy Rowley via Public 
I think I heard the WebTrust auditors say last week that they have finished
or nearly finished the WebTrust for RAs criteria. The language from Section
8.4 of the guidelines reads:

 

"For Delegated Third Parties which are not Enterprise RAs,, then the CA
SHALL obtain an audit report, issued under the auditing standards that
underlie the accepted audit schemes found in Section 8.1, that provides an
opinion whether the Delegated Third Party's performance complies with either
the Delegated Third Party's practice statement or the CA's Certificate
Policy and/or Certification Practice Statement. If the opinion is that the
Delegated Third Party does not comply, then the CA SHALL not allow the
Delegated Third Party to continue performing delegated functions."

 

We know some CAs use RAs that are not audited under WebTrust/ETSI because
"there is no appropriate audit standard". Now that there is an audit
standards, it seems to me this criteria goes into effect immediately and any
RA not audited would cause the CA to be out of compliance with the BRs. No
additional ballot required since the concept is already baked into the BRs. 

 

Anyone have a different interpretation?  If not, when is the exact date that
the audits should be done? Already? 

 

Jeremy



smime.p7s
Description: S/MIME cryptographic signature
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public