[cabfpub] Clarification on EV Guidelines §14.1.3 (separation of duties)

Kirk Hall Kirk.Hall at entrust.com
Mon Jul 18 15:19:35 MST 2016

Adriano - this is a good issue to discuss, but do you have a "use case" that makes it necessary to clarify these points now?

I don't - but I can imagine there are some CAs that may outsource the entire RA function for customers in a country to a partner or other company in a third country like "Freedonia".  If no one at the CA itself can speak Freedonian, it may make sense to allow both Validation Specialists (who speak Freedonian) to work for the external RA partner in Freedonia and simply send the verified and recorded authentication results to the issuing CA.

Note that EVGL 14.2 allows full delegation of validation functions to an external RA, so long as the Validation Specialists are trained, etc. and follow the Separation of Duties rules of EVGL 14.1.  Under other rules, I believe the CA's own audit must cover the validation done by the external RA (or "roll-up" the external RA's own audit).  The ability to delegate is not limited to Enterprise RAs under EVGL 14.2.2.

Are you raising this question only as to Enterprise RAs, or as to all external RAs?

14. Employee and third party issues
14.1. Trustworthiness and Competence
14.1.3. Separation of Duties

(1) The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one person can single-handedly validate and authorize the issuance of an EV Certificate. The Final Cross-Correlation and Due Diligence steps, as outlined in Section 11.13, MAY be performed by one of the persons. For example, one Validation Specialist MAY review and verify all the Applicant information and a second Validation Specialist MAY approve issuance of the EV Certificate.

(2) Such controls MUST be auditable.

14.2. Delegation of Functions to Registration Authorities and Subcontractors
14.2.1. General

The CA MAY delegate the performance of all or any part of a requirement of these Guidelines to an Affiliate or a Registration Authority (RA) or subcontractor, provided that the process employed by the CA fulfills all of the requirements of Section 11.13. Affiliates and/or RAs must comply with the qualification requirements of Section 14.1 of these Guidelines.

The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of Section 14 and the document retention and event logging requirements of Section 15.

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Adriano Santoni
Sent: Monday, July 18, 2016 2:26 AM
To: CAB Forum <public at cabforum.org>
Subject: [cabfpub] Clarification on EV Guidelines §14.1.3 (separation of duties)

Hi all,

it seems to me that paragraph 14.1.3 of EV Guidelines is not very clear as to who, among the CA and/or Enterprise RA personnel, should / may / must perform the necessary actions respecting the SOD principle. I therefore suggest that it be clarified, specifying whether:

- the two persons involved must both be employees of the CA,
- at least one, of the two persons involved, must be an employees of the CA
- one of the two persons involved may be affiliated with the Enterprise RA
- both persons may be affiliated with the Enterprise RA
- other combinations...

Although the normal practice and the substantive requirement may be obvious, it seems to me that the current wording of §14.1.3 is not sufficiently clear, and prone to improper interpretations....


Cordiali saluti,

Adriano Santoni
(Aruba Group)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160718/3ca32ebc/attachment.html 

More information about the Public mailing list