[cabfcert_policy] Review Framework for Next Tuesday
Ben Wilson
ben.wilson at digicert.com
Mon Feb 2 07:25:29 MST 2015
Thanks. Ill take a look and edit this today and send it back to you.
From: i-barreira at izenpe.net [mailto:i-barreira at izenpe.net]
Sent: Monday, February 2, 2015 6:24 AM
To: Ben Wilson; policyreview at cabforum.org
Subject: RE: [cabfcert_policy] Review Framework for Next Tuesday
Hi Ben, all,
This is what I´ve been doing. Let me know if this is Ok for you so I can
continue (I don´t want to go ahead if is not worthy)
I´ve marked in yellow all the missing ETSI gaps and try to find in the 401
and 411-1 a clause that fits in. OTOH I´ve also marked in grey those ETSI
ones pointing to an old version of the document.
Regards
Iñigo Barreira
Responsable del Área técnica
<mailto:i-barreira at izenpe.net> i-barreira at izenpe.net
945067705
ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea.
Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki
idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna.
KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la
que solo tiene derecho a acceder el destinatario. Si usted lo recibe por
error le agradeceriamos que no hiciera uso de la informacion y que se
pusiese en contacto con el remitente.
De: Ben Wilson [mailto:ben.wilson at digicert.com]
Enviado el: viernes, 30 de enero de 2015 15:13
Para: Barreira Iglesias, Iñigo; policyreview at cabforum.org
<mailto:policyreview at cabforum.org>
Asunto: RE: [cabfcert_policy] Review Framework for Next Tuesday
Thanks. Ill try and work on it some more. Here is a crosswalk mapping
table from the Baseline Requirements and Network/Certificate System Security
Requirements over to the RFC 3647 CP/CPS framework (as used by NISTs IR
7924).
BR / NetSec
Title
NIST 7924
(RFC 3647)
Title
Preface Page
1.1
Overview
Notice to Readers
1.5
Policy administration
CA/B Forum Members
1.3
PKI Participants
Document History
1.2
Document Name and identification
Implementers' Note
8
Compliance Audit
Relevant Compliance Dates
1.2.2
Relevant Dates
1, 2
Scope, Purpose
1.1
Overview
3
References
1.6.3
References
4
Definitions
1.6.1
Definitions
5
Abbreviations and Acronyms
1.6.2
Abbreviations and Acronyms
6
Conventions
1.6.4
Conventions
7
Certificate Warranties and Representations
9.6
Representations and Warranties
8.1
Compliance
8, 9.16.3
Compliance Audit, Severability
8.2
Certificate Policies
2
Publication of Information
8.3
Commitment to Comply
2.1
Repositories
8.4
Trust Model
3.2.6
Criteria for Interoperation or Certification
9.1
Issuer Information
7.1.4.1
Name Forms: Issuer
9.2
Subject Information
7.1.4.2
Name Forms: Subject
9.3.1
Certificate Policy Identification
1.2
Document Name and identification
9.3.2-9.3.4
Root, Subordinate, and Subscriber Certificates
7.1.6
Certificate Policy Object Identifier
9.4
Validity Period
6.3.2
Certificate Operational Periods and Key Pair Usage Periods
9.4.2
SHA-1 Validity Period
7.1.3
Algorithm Object Identifiers
9.5
Public Key
6.1.3, 6.1.1.3
Public Key Delivery to Certificate Issuer, Subscriber Key Pair Generation
9.6
Certificate Serial Number
7.1
Certificate Profile
9.7
Technical Constraints in Subordinate CA Certificates via Name Constraints
and EKU
7.1.5
Name Constraints
9.8
Additional Technical Requirements
6, 7.1
Technical Security Controls or Certificate Profile, as appropriate
10
Certificate Application
4
Certificate Life-Cycle Requirements
10.1
Documentation Requirements
4.1.2
Enrollment Process and Responsibilities
10.2
Certificate Request
4.1 and 4.2
Certificate Applications
10.2.4
Subscriber Private Key
6.1.2
Private Key Delivery to Subscriber
10.2.5
Subordinate CA Private Key
6.2.4, 6.2.6
Private Key Backup, Private Key Transfer into or from a Cryptographic Module
10.3
Agreements/Terms of Use
9.6.3
Subscriber Representations and Warranties
11.1
Authorization by Domain Name Registrant
3.2.2
Authentication of Organization and Domain Identity
11.2.3
Authenticity of Certificate Request
3.2.5
Validation of Authority
11.2.4
Verification of Individual Applicant
3.2.3
Authentication of Individual Identity
11.2.5
Verification of Country
3.2.2.3
Verification of Country
11.3
Age of Certificate Data
3.3.1
Identification and Authentication For Routine Re-Key
11.4
Denied List
4.1.1
Who Can Submit a Certificate Application
11.5
High Risk Requests
4.2.1
Performing Identification and Authentication Functions
11.6
Data Source Accuracy
3.2.2.7
Data Source Accuracy
12
Certificate Issuance by a Root CA
4.3.1
CA Actions During Certificate Issuance
13.1.1
Revocation Request
3.4, 4.9.2
Identification and authentication for revocation request, Who Can Request
Revocation
13.1.2
Certificate Problem Reporting
4.9.3
Procedure for Revocation Request
13.1.3
Investigation
4.9.5, 2.3
Time Within Which CA Must Process the Revocation Request, Time or frequency
of publication
13.1.4
Response
4.10.2
Service Availability
13.1.5
Reasons for Revoking a Subscriber Certificate
4.9.1.1
Reasons for Revoking a Subscriber Certificate
13.1.6
Reasons for Revoking a Subordinate CA Certificate
4.9.1.1, 5.7.3.2
Reasons for Revoking a Subordinate CA Certificate, Intermediate or
Subordinate CA Compromise Procedures
13.2
Certificate Status Checking
2
Repositories, Publication of certification information
13.2.1
Mechanisms
4.9,
4.9.11
Other Forms of Revocation Advertisements Available, Certificate Revocation
and Suspension
13.2.2
Repository
1.3,
4.9.7,
4.10
Service Availability, Certificate Status Servers
13.2.3
Response Time
4.9.8
Maximum Latency for CRLs
13.2.4
Deletion of Entries
4.10.1
Operational Characteristics
13.2.5
OCSP Signing
4.9.9
On-line Revocation/Status Checking Available
13.2.6
Response for Non-Issued Certificates
4.9.10
On-line Revocation Checking Requirements
13.2.7
Certificate Suspension
4.9.13
Circumstances for Suspension
14.1
Trustworthiness and Competence
5.2
Procedural Controls
14.1.1
Identity and Background Verification
5.3.1
Qualifications, Experience, and Clearance Requirements
14.1.1
Identity and Background Verification
5.3.2
Background Check Procedures
14.1.2
Training and Skill Level
5.3.3, 5.3.4
Training Requirements and Retraining Frequency and Requirements
14.2
Delegation of Functions
1.3.2, 5.3.7
Registration Authorities, Independent Contractor Requirements
15
Data Records
2
Repositories, Publication of certification information
15.1
Documentation and Event Logging
5.4.1
Types of Events Recorded
15.2
Events and Actions
5.4.1
Types of Events Recorded (and Certificate renewal, re-key, modification, in
4.6-4.8, as appropriate)
15.3.1
Audit Log Retention
5.4.3, 5.5
Retention period for Audit Log, Records Archival
15.3.2
Documentation Retention
5.5.1, 5.5.2
Retention Period for Archive
16.1
Objectives, Security Plan, Business Continuity, System Security, Private Key
Protection
5
Facility, Management, and Operational Controls,
16.2
Risk Assessment
5, 5.4.8
Facility, Management, and Operational Controls, and Vulnerability
Assessments
16.3
Security Plan
5
Facility, Management, and Operational Controls,
16.4
Business Continuity
5.7.4
Business Continuity
16.5
System Security
5
Facility, Management, and Operational Controls,
16.6
Private Key Protection
6.2
Private Key Protection and Cryptographic Module Engineering
17
Audit
8.2
Frequency or Circumstances of Assessment
17.1
Eligible Audit Schemes
8.1
Topics Covered By Assessment
17.2
Audit Period
8.2
Frequency or Circumstances of Assessment
17.3
Audit Report
8.6
Communication of Results
17.4
Pre-Issuance Readiness Audit
8.2
Frequency or Circumstances of Assessment
17.5
Audit of Delegated Functions
8.1
Topics Covered By Assessment
17.6
Auditor Qualifications
8.3
Identity/Qualifications of Assessor
17.7
Key Generation Ceremony
6.1.1
Key Pair Generation
17.8
Regular Quality Assessment Self Audits
8.7
Self-Audits
17.9
Regular Quality Assessment of Technically Constrained Subordinate CAs
8.7
Self-Audits
18.1
Liability to Subscribers and Relying Parties
9.8
Limitations of Liability
18.2
Indemnification of Application Software Suppliers
9.9.1
Indemnities
18.3
Root CA Obligations
9.6.1
CA Representations and Warranties
Appendix A
Cryptographic Algorithm and Key Requirements (Normative)
6.1.5
Key Sizes
Appendix A (1)
Root CA Certificates
6.1.5
Key Sizes
Appendix A (2)
Subordinate CA Certificates
6.1.5
Key Sizes
Appendix A (3)
Subscriber Certificates
6.1.5
Key Sizes
Appendix A (4)
General Requirements for Public CAs
6.1.6
Public Key Parameters Generation and Quality Checking
Appendix B
Certificate Extensions (Normative)
6.1.7, 7.1.2
Key Usage Purposes, Certificate Extensions
Appendix B (1)
Root CA Certificate
7.1.2.1
Key Usage Purposes, Certificate Extensions
Appendix B (2)
Subordinate CA Certificate
7.1.2.2
Key Usage Purposes, Certificate Extensions
Appendix B (3)
Subscriber Certificate
7.1.2.3
Key Usage Purposes, Certificate Extensions
Appendix B (4)
All Certificates
7.7.2.4
Key Usage Purposes, Certificate Extensions
Appendix C
User Agent Verification (Normative)
2.2
Publication of Information
NetSec Intro
General Protections for the Network and Supporting Systems
5.1.2
Physical Access
NetSec Intro
Delegated Responsibilities
1.3.2, 5.3.7
Registration Authorities, Independent Contractor Requirements
NetSec 1.a-d
System Security
6.5.1.6
System Isolation and Partitioning
NetSec 1.a.
Segment Network
6.7.1
Isolation of Networked Systems
NetSec 1.b.
Zone Controls
6.7.2
Boundary Systems
NetSec 1.c.
High Security Zone
6.7.2.2
Special Access Zone Boundary
NetSec 1.d.
Security Zone
6.7.2.1
PKI Network Zones Overview
NetSec 1.e, 2.n.
Security Support Systems / Public Networks
6.7.3, 6.7.4
Availability, Communications Security
NetSec 1.f.
NetSec 1.g.
Security Zone
6.7.2.3
Restricted Zone Boundary, Operational Zone Boundary
NetSec 1.g.
NetSec 1.h.
3.a, 4.a
Access Management
6.6.2
Security Management Controls
NetSec. 1.i.
Administrative Access
5.2.1.1
Trusted Roles: CA Administrator
NetSec 2.a.
NetSec 2.b.
Trusted Roles
5.2.1
Trusted Roles
NetSec 2.a.
NetSec 2.k.
Trusted Role Appointment / Authentication
5.2.3
Identification and Authentication for Each Role
NetSec 2.b.
Trusted Roles
5.2.1, 5.2.4
Trusted Roles, Roles Requiring Separations of Duties
NetSec 2.c.
System Access
5.2.3
Identification and Authentication for Each Role
Net Sec. 2 d
Scope of Duties
5.3.6
Sanctions for Unauthorized Actions
NetSec 2.e.
Least Privilege
6.5.1.2
Least Privilege
NetSec 2.f.
Access Controls
5.2.3
Identification and Authentication for Each Role
NetSec 2.g.
NetSec 2.k.
Passwords
6.5.1.4
Authentication: Passwords and Accounts
NetSec 2.h.
NetSec 2.i.
Session Locks
6.5.1.3
Access Control Best Practices
NetSec 2.i.
NetSec 2.l.
Disable Inactive Accounts
6.5.1.1
Account Management
NetSec 2.i
Inactivity Time-Outs
6.7.4.3
Network Disconnect
NetSec 1.j.
NetSec 2.m
Multi-Factor Authentication
5.2.3
Identification and Authentication for Each Role
NetSec 2.n
Multi-Factor Authentication
5.2.3
Identification and Authentication for Each Role
NetSec 2.o
Remote Administration
6.7.6
Remote Access/External Information Systems
NetSec 3.a.
Configuration Management
6.5.1.8
Software and Firmware Integrity
NetSec 3.a-c
6.7.5.2
Monitoring devices
Net Sec. 3.b.
Logging, Monitoring, Alerting
5.4
Audit logging procedures
NetSec 3.c.
Monitoring
6.7.5
Network Monitoring, Monitoring of Security Alerts, Advisories, and
Directives
Net Sec 3.d.
Net Sec 3.e.
Response to Alerts / Frequency of Processing Logs
5.4.2
Frequency of Processing Log
Net Sec 3.f.
Audit Log Retention
5.4.3
Retention Period for Audit Log
NetSec 4.a
System Security
6.5.1.7
Malicious Code Protection
Net Sec 4.b.
Vulnerabiltiy Remediation
5.7.1
Incident and Compromise
NetSec 1.l.
NetSec 4.b.
NetSec 4.c.
NetSec 4.f.
Vulnerability Detection Program / Security Patches
6.6.3
Life Cycle Security Controls
NetSec 4.d.
NetSec 4.e.
Penetration Testing
6.7.7
Penetration Testing
From: i-barreira at izenpe.net <mailto:i-barreira at izenpe.net>
[mailto:i-barreira at izenpe.net] <mailto:[mailto:i-barreira at izenpe.net]>
Sent: Friday, January 30, 2015 6:23 AM
To: Ben Wilson; policyreview at cabforum.org <mailto:policyreview at cabforum.org>
Subject: RE: [cabfcert_policy] Review Framework for Next Tuesday
Ben,
I´m trying to fill the gaps but I see that you´re using an old version, can
you confirm that you have used the latest ones we published?
Check this out: http://docbox.etsi.org/ESI/Open/Latest_Drafts/
I will take me some time to update. Hopefully sometime during next week I
will able to provide something.
Regards
Iñigo Barreira
Responsable del Área técnica
<mailto:i-barreira at izenpe.net> i-barreira at izenpe.net
945067705
ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea.
Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki
idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna.
KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la
que solo tiene derecho a acceder el destinatario. Si usted lo recibe por
error le agradeceriamos que no hiciera uso de la informacion y que se
pusiese en contacto con el remitente.
De: Ben Wilson [mailto:ben.wilson at digicert.com]
Enviado el: martes, 27 de enero de 2015 1:29
Para: Barreira Iglesias, Iñigo; policyreview at cabforum.org
<mailto:policyreview at cabforum.org>
Asunto: RE: [cabfcert_policy] Review Framework for Next Tuesday
I wasnt able to fill in as much as Id have liked to. Here is the raw
data. Ill also prepare a comparison/mapping chart in Word/PDF for
everyones reference.
From: i-barreira at izenpe.net <mailto:i-barreira at izenpe.net>
[mailto:i-barreira at izenpe.net] <mailto:[mailto:i-barreira at izenpe.net]>
Sent: Monday, January 26, 2015 1:15 AM
To: Ben Wilson; policyreview at cabforum.org <mailto:policyreview at cabforum.org>
Subject: RE: [cabfcert_policy] Review Framework for Next Tuesday
Ben,
The ETSI EN 319 401 is a generic document for all type of TSPs but not all
TSPs issue certificates, for that, you can also have the EN 319 411-1 which
has some answers to those empty cells.
When you have your task ready I can complete with the 411.
Check this checklist. It´s not finished (the last tab with the comparison
with the CABF docs needs to be updated) but you can see where there´s a mix
of use of the 401 and 411.
Regards
Iñigo Barreira
Responsable del Área técnica
<mailto:i-barreira at izenpe.net> i-barreira at izenpe.net
945067705
ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea.
Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki
idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna.
KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la
que solo tiene derecho a acceder el destinatario. Si usted lo recibe por
error le agradeceriamos que no hiciera uso de la informacion y que se
pusiese en contacto con el remitente.
De: policyreview-bounces at cabforum.org
<mailto:policyreview-bounces at cabforum.org>
[mailto:policyreview-bounces at cabforum.org] En nombre de Ben Wilson
Enviado el: sábado, 24 de enero de 2015 17:13
Para: policyreview at cabforum.org <mailto:policyreview at cabforum.org>
Asunto: Re: [cabfcert_policy] Review Framework for Next Tuesday
Im updating this document today, so if youre reviewing it today or
tomorrow, let me know and Ill send you a current version. Otherwise, Ill
send everyone the updated version tomorrow afternoon, Mountain Time.
From: policyreview-bounces at cabforum.org
<mailto:policyreview-bounces at cabforum.org>
[mailto:policyreview-bounces at cabforum.org]
<mailto:[mailto:policyreview-bounces at cabforum.org]> On Behalf Of Ben Wilson
Sent: Friday, January 23, 2015 10:44 PM
To: policyreview at cabforum.org <mailto:policyreview at cabforum.org>
Subject: [cabfcert_policy] Review Framework for Next Tuesday
Here is the template that Im using for next week. I still have to populate
NIST provisions into the cells on the left and more CABF Network Security
provisions into cells on the right. The basis for the ETSI provisions was
EN 319-401. Ill see if Ive missed anything for ETSI and pull those
provisions in. And, if I get time to put the WebTrust criteria into a
similar set of columns, I will.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/policyreview/attachments/20150202/994143c3/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 19121 bytes
Desc: not available
Url : https://cabforum.org/pipermail/policyreview/attachments/20150202/994143c3/attachment-0001.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
Url : https://cabforum.org/pipermail/policyreview/attachments/20150202/994143c3/attachment-0001.bin
More information about the Policyreview
mailing list