<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:TimesNewRomanPS-BoldMT;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:TimesNewRomanPSMT;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Adriano – this is a good issue to discuss, but do you have a “use case” that makes it necessary to clarify these points now?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I don’t – but I can imagine there are some CAs that may outsource the entire RA function for customers in a country to a partner or other company in a third country
like “Freedonia”. If no one at the CA itself can speak Freedonian, it may make sense to allow both Validation Specialists (who speak Freedonian) to work for the external RA partner in Freedonia and simply send the verified and recorded authentication results
to the issuing CA.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Note that EVGL 14.2 allows full delegation of validation functions to an external RA, so long as the Validation Specialists are trained, etc. and follow the Separation
of Duties rules of EVGL 14.1. Under other rules, I believe the CA’s own audit must cover the validation done by the external RA (or “roll-up” the external RA’s own audit). The ability to delegate is not limited to Enterprise RAs under EVGL 14.2.2.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Are you raising this question only as to Enterprise RAs, or as to all external RAs?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:13.0pt;font-family:TimesNewRomanPS-BoldMT;color:windowtext">14. Employee and third party issues<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.5pt;font-family:TimesNewRomanPS-BoldMT;color:windowtext">14.1.
</span></b><b><span style="font-family:TimesNewRomanPS-BoldMT;color:windowtext">Trustworthiness and Competence<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:10.5pt;font-family:TimesNewRomanPS-BoldMT;color:windowtext">14.1.3.
</span></b><b><span style="font-family:TimesNewRomanPS-BoldMT;color:windowtext">Separation of Duties<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.5pt;font-family:TimesNewRomanPSMT;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.5pt;font-family:TimesNewRomanPSMT;color:windowtext">(1) The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one person can single-handedly
validate and authorize the issuance of an EV Certificate. The Final Cross-Correlation and Due Diligence steps, as outlined in Section 11.13, MAY be performed by one of the persons. For example, one Validation Specialist MAY review and verify all the Applicant
information and a second Validation Specialist MAY approve issuance of the EV Certificate.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt;font-family:TimesNewRomanPSMT;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt;font-family:TimesNewRomanPSMT;color:windowtext">(2) Such controls MUST be auditable.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt;font-family:TimesNewRomanPSMT;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:10.5pt;font-family:TimesNewRomanPS-BoldMT;color:windowtext">14.2.
</span></b><b><span style="font-family:TimesNewRomanPS-BoldMT;color:windowtext">Delegation of Functions to Registration Authorities and Subcontractors<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:10.5pt;font-family:TimesNewRomanPS-BoldMT;color:windowtext">14.2.1.
</span></b><b><span style="font-family:TimesNewRomanPS-BoldMT;color:windowtext">General<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-family:TimesNewRomanPS-BoldMT;color:windowtext"><o:p> </o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.5pt;font-family:TimesNewRomanPSMT;color:windowtext">The CA MAY delegate the performance of all or any part of a requirement of these Guidelines to an Affiliate or a Registration Authority
(RA) or subcontractor, provided that the process employed by the CA fulfills all of the requirements of Section 11.13. Affiliates and/or RAs must comply with the qualification requirements of Section 14.1 of these Guidelines.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.5pt;font-family:TimesNewRomanPSMT;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.5pt;font-family:TimesNewRomanPSMT;color:windowtext">The CA SHALL verify that the Delegated Third Party’s personnel involved in the issuance of a Certificate meet the training and skills
requirements of Section 14 and the document retention and event logging requirements of Section 15.</span><b><span style="font-family:TimesNewRomanPS-BoldMT;color:windowtext"><o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>Adriano Santoni<br>
<b>Sent:</b> Monday, July 18, 2016 2:26 AM<br>
<b>To:</b> CAB Forum <public@cabforum.org><br>
<b>Subject:</b> [cabfpub] Clarification on EV Guidelines §14.1.3 (separation of duties)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p><span style="font-family:"Calibri",sans-serif">Hi all,</span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif">it seems to me that paragraph 14.1.3 of EV Guidelines is not very clear as to who, among the CA and/or Enterprise RA personnel, should / may / must perform the necessary actions respecting the SOD principle.
I therefore suggest that it be clarified, specifying whether:</span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif">- the two persons involved must both be employees of the CA,
<br>
- at least one, of the two persons involved, must be an employees of the CA<br>
- one of the two persons involved may be affiliated with the Enterprise RA<br>
- both persons may be affiliated with the Enterprise RA<br>
- other combinations...</span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif">Although the normal practice and the substantive requirement may be obvious, it seems to me that the current wording of §14.1.3 is not sufficiently clear, and prone to improper interpretations....</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">Adriano</span>
<o:p></o:p></p>
<p><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">-- <o:p></o:p></p>
<p>Cordiali saluti,<br>
<br>
Adriano Santoni<br>
ACTALIS S.p.A.<br>
(Aruba Group)<o:p></o:p></p>
</div>
</div>
</body>
</html>