<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Arial","sans-serif";
color:#002776;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Arial","sans-serif";
color:#002776;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#002776">Then we are back in the same issue – what date would you be audited back to? We saw that with baseline 1.0 – we did not audit back to July 1 – since the Browsers
only needed point in time right now – with period of time next year. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#002776"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#002776">And if compliance audit only starts once the audit requirements are set , there is little impetus for the CA to push through the change to make sure they are
compliant at the earlier date.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#002776"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#002776">I thought we were forming a sub- group to discuss all this and were just waiting for ETSI?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#002776"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#002776"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#002776"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#002776"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:navy">Donald E. Sheehy, CPA, CA·CISA, CRISC, CIPP/C</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif";color:#002776">
<br>
</span><span style="font-size:7.5pt;font-family:"Verdana","sans-serif";color:navy">Partner | Enterprise Risk
</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif";color:#002776"><br>
</span><span style="font-size:7.5pt;font-family:"Verdana","sans-serif";color:navy">Deloitte</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif";color:#002776"><br>
<br>
</span><span style="font-size:7.5pt;font-family:"Verdana","sans-serif";color:navy"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#002776"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Jeremy Rowley [mailto:jeremy.rowley@digicert.com]
<br>
<b>Sent:</b> Tuesday, March 26, 2013 12:53 PM<br>
<b>To:</b> Sheehy, Don (CA - Toronto); ben@digicert.com; public@cabforum.org<br>
<b>Subject:</b> RE: [cabfpub] Next Published Version of Baseline Requirements<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">I don’t think so. My understanding is we would make things effective as soon as they passed, but the auditors would make audit standard or make audit changes in accordance with the process established in Mountain
View. CAs should comply with the baseline requirements when a change is made, but they aren’t audited for compliance until Webtrust and ETSI are ready.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Jeremy<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Sheehy, Don (CA - Toronto)<br>
<b>Sent:</b> Tuesday, March 26, 2013 10:45 AM<br>
<b>To:</b> <a href="mailto:ben@digicert.com">ben@digicert.com</a>; <a href="mailto:public@cabforum.org">
public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] Next Published Version of Baseline Requirements<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#002776">With the discussion below – are we abandoning what we had discussed in the Mountainview meeting – agreeing on a fixed timetable for standards and audit changes?
It seems we are back to let’s make a change and make it effective as soon as we pass it. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#002776"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#002776">What we have below could create a variety of inconsistent application of standards both Baseline as well as audit
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#002776"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#002776">Don<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#002776"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#002776"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#002776"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><b><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:navy">Donald E. Sheehy, CPA, CA·CISA, CRISC, CIPP/C</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif";color:#002776">
<br>
</span><span style="font-size:7.5pt;font-family:"Verdana","sans-serif";color:navy">Partner | Enterprise Risk
</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif";color:#002776"><br>
</span><span style="font-size:7.5pt;font-family:"Verdana","sans-serif";color:navy">Deloitte<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#002776"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Ben Wilson<br>
<b>Sent:</b> Monday, March 18, 2013 5:39 PM<br>
<b>To:</b> <a href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] Next Published Version of Baseline Requirements<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">All,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Here is the pre-publication draft of version 1.1.3 of the Baseline Requirements as outlined in my previous emails. Let’s discuss on Thursday’s call.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Ben<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Ben Wilson [<a href="mailto:ben@digicert.com">mailto:ben@digicert.com</a>]
<br>
<b>Sent:</b> Monday, March 18, 2013 12:38 PM<br>
<b>To:</b> 'public@cabforum.org'<br>
<b>Subject:</b> RE: [cabfpub] Next Published Version of Baseline Requirements<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">All,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The WebTrust Task Force has helpful language in version 1.1, Audit Criteria for Baseline Requirements, which I would like to re-purpose in one of the title pages for version 1.1.3 of the BRs.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">What if we said?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Implementers’ Note: Version 1.1 of the SSL Baseline Requirements was published on September 14, 2012. Version 1.1 of WebTrust’s SSL Baseline Audit Criteria and ETSI Technical Standard
Electronic Signatures and Infrastructures (ESI) 102 042 version 2.3.1 incorporate version 1.1 of these Baseline Requirements and are currently in effect. See
<a href="http://www.webtrust.org/homepage-documents/item27839.aspx">http://www.webtrust.org/homepage-documents/item27839.aspx</a> and
<a href="http://www.etsi.org/deliver/etsi_ts/102000_102099/102042/02.03.01_60/ts_102042v020301p.pdf">
http://www.etsi.org/deliver/etsi_ts/102000_102099/102042/02.03.01_60/ts_102042v020301p.pdf</a>. The CA / Browser Forum continues to improve the Baseline Requirements, and we encourage all CAs to conform to each revision on the date specified without awaiting
a corresponding update to an applicable audit criterion. In the event of a conflict between an existing audit criterion and a guideline revision, we will communicate with the audit community and attempt to resolve any uncertainty, and we will respond to implementation
questions directed to <a href="mailto:questions@cabforum.org">questions@cabforum.org</a>. Our coordination with compliance auditors will continue as we develop guideline revision cycles that harmonize with the revision cycles for audit criteria, the compliance
auditing periods and cycles of CAs, and the CA / B Forum’s guideline implementation dates.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">(Also, instead of creating a redline from version 1.0, it should be based on BR 1.1 because I think that is what was used for ETSI TS 102 042 V2.3.1 (and certainly for v.1.1 of WebTrust for the BRs) and from
my review, the changes do not make comparison for compliance purposes that difficult.)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Ben <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Ben Wilson<br>
<b>Sent:</b> Friday, March 15, 2013 6:14 PM<br>
<b>To:</b> <a href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> [cabfpub] Next Published Version of Baseline Requirements<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">All,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In response to Gerv’s email of 28-Jan-2013 (“[cabfpub] CAB Forum Document Versioning”), and changes related to Ballots 71, 93, 96, and 97, I am preparing a proposed version 1.1.3 of the Baseline Requirements – see attached “Document History”
table. Also, to address other comments on that same “Versioning” thread, and also to address BR Issue 33 – Title Pages – “No single place to view effective dates”, I’ve created a table of compliance dates. Please review both tables on the attached page.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">To further address comments about ongoing improvements to the Baseline Requirements, I have two more suggestions: (1) we have room for text on this page that could explain a little about how to comply with post-v.1.0 versions of the BRs,
assuming CAs are audited under WebTrust for CAs– SSL Baseline Requirements Audit Criteria, V1.0, or ETSI TS 102 042 V2.3.1; and (2) it will be relatively easy to create a redlined PDF that compares BR v. 1.1.3 to BR v. 1.0, so that anyone looking at a WebTrust
or ETSI audit can determine whether any post-BR v1.0 changes are relevant to their consideration.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ben<o:p></o:p></p>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<hr size="1" width="100%" align="center">
</span></div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are
not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify
the sender immediately by return e-mail, and delete this message and any attachments from your system.
<br>
Information confidentielle: Le présent message, ainsi que tout fichier qui y est joint, est envoyé à l'intention exclusive de son ou de ses destinataires; il est de nature confidentielle et peut constituer une information privilégiée. Nous avertissons toute
personne autre que le destinataire prévu que tout examen, réacheminement, impression, copie, distribution ou autre utilisation de ce message et de tout fichier qui y est joint est strictement interdit. Si vous n'êtes pas le destinataire prévu, veuillez en
aviser immédiatement l'expéditeur par retour de courriel et supprimer ce message et tout document joint de votre système. Merci.
<o:p></o:p></span></p>
</div>
</body>
</html>
<HTML><BODY><P><hr size=1></P>
<P><STRONG>
</STRONG></P>
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system. Thank you. <BR>
Information confidentielle: Le présent message, ainsi que tout fichier qui y est joint, est envoyé à l'intention exclusive de son ou de ses destinataires; il est de nature confidentielle et peut constituer une information privilégiée. Nous avertissons toute personne autre que le destinataire prévu que tout examen, réacheminement, impression, copie, distribution ou autre utilisation de ce message et de tout fichier qui y est joint est strictement interdit. Si vous n'êtes pas le destinataire prévu, veuillez en aviser immédiatement l'expéditeur par retour de courriel et supprimer ce message et tout document joint de votre système.
Merci.
</STRONG></P></BODY></HTML>