[cabfpub] Bylaws: Update Membership Criteria (section 2.1)
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Tue Jan 29 07:19:23 UTC 2019
On 28/1/2019 8:48 μ.μ., Ryan Sleevi via Public wrote:
>
>
> On Thu, Jan 24, 2019 at 2:30 PM Dimitris Zacharopoulos (HARICA) via
> Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>
>
>
> On 24/1/2019 8:16 μ.μ., Wayne Thayer via Public wrote:
>> On today's call we discussed a number of changes to the bylaws
>> aimed at clarifying the rules for membership. The proposal for
>> section 2.1(a)(1) resulting from today's discussion is:
>>
>> Certificate Issuer: The member organization operates a
>> certification authority that has a publicly-available audit
>> report or attestation statement that meets the following
>> requirements:
>> * Is based on the full, current version of the WebTrust for
>> CAs, ETSI EN 319 411-1 , or ETSI EN 319 411-2 audit criteria
>>
> Using the example reports for discussion (
> http://www.webtrust.org/practitioner-qualifications/docs/item85808.pdf )
>
> If a CA does not escrow CA keys, does not provide subscriber key
> generation services, or suspension services, does that count as being
> based on the "full, current version"? (Page 11, paragraph 2)
I think so, yes. Based on the exact CA operations, the exact audit scope
is determined. The Forum has set the WebTrust for CAs and ETSI EN 319
411-1 as an absolute minimum that includes attestation of the existence
of reasonable organizational and technical controls. If you recall, I
had proposed that for the SCWG we should also require WebTrust for CAs
Baseline and NetSec because they are already included in ETSI EN 319
411-1 and are more suitable for SSL/TLS Certificates. If a CA obtains a
WebTrust for CAs or ETSI EN 319 411-1 audit report, it means that the
core CA services are there and are operational.
Root programs have audit requirements exceptions and this applies
equally to Microsoft and Mozilla. I don't disagree to being more
inclusive but I believe the Forum must have objective and specific
requirements based on some international standards and not just
government regulations.
>> * Covers a period of at least 60 days
>>
> I'm curious for feedback from the ETSI folks, but perhaps a more
> inclusive definition would be
> - "Reports on the operational effectiveness of controls for a historic
> period of at least 60 days"
>
> The context being that ETSI is a certification scheme, but as part of
> that certification, the CAB "may" ("should") examine the historic
> evidence for some period of time. 7.9 of 319 403 only requires "since
> the previous audit"
I am not representing ETSI or ACAB'c but if there are concerns with this
requirement we can solve this issue using the language proposed by Wayne
"Covers a period of at least 60 days". I would use "Covers a period of
operations of at least 60 days".
>> * Covers a period that ends within the past 15 months
>>
> This may also be resting on the BR definition of Audit Period. I can
> see similar ambiguities arising with respect to ETSI and that its
> certification decisions last two years, not one, thus it might cause a
> CA to believe that they have up to three years from first completing
> their audit (that is, if the letter is issued at T=2 years, covering
> T=0 to T=2, and is valid to T=4 years, then the CA may believe it's
> covered until T=5 years and 3 months)
>
> There's also the potential of surveillance audits conducted over
> specific issues being resolved, without being a full recertification
> (e.g. if the CAB classified it as a minor non-conformity)
>
> "With no more than 27 months having elapsed since the beginning of the
> reported-on period and no more than 15 months since the end of the
> reported-on period"
>
> It's a mouthful, but perhaps there's a more concise way to capture
> that unambiguously.
AFAIK, Microsoft still requires annual full audits even for non-SSL
certificate issuance. In any case, I prefer a mouthful than an ambiguous
requirement.
Dimitris.
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20190129/ba2ed4ce/attachment-0003.html>
More information about the Public
mailing list