<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix"><br>
Hi Jeff,<br>
<br>
Since I am not a native English speaker, I will try to offer my
perspective on some of the terms used in this document so here is
my 2 cents. "CA Key Transportation" was the section I had some
difficulty reading but the explanatory guidance is very helpful.
It is a real challenge for both Auditors and CAs to meaningfully
assess the security risks between cases where the CA private key
is backed up "using approved methods from the hardware vendor" and
CA's methods that perform the same "approved methods" (key
wrapping, further splitting and so on). In other words, a CA's
methods might be above and beyond the vendor specific methods,
which is a good thing.<br>
<br>
Here are some cases that might be considered for the "CA Key
Transportation":<br>
<ol>
<li>Relocation of an HSM that already contains the CA private
keys. In this scenario, CA private keys are always in a
de-activated state and require activation material, as
explained in 4.9. The description of 4.9 "CA Key
Transportation" seems to cover all critical steps. I would
prefer the use of the term "relocation" for this particular
scenario.<br>
</li>
<li>Relocation of an HSM that doesn't contain the CA private
keys (keys are deleted prior to transportation). This scenario
is probably covered under some other criteria for secure
relocation of equipment.</li>
<li>Transportation of an HSM vendor-specific encrypted CA
private key backup. In this scenario, this vendor-specific
encrypted backup can be restored in an HSM of the same vendor,
using the backup file and the backup key (usually kept
separately). I don't know if there is a specific Webtrust
terminology that describe this "encryption/decryption backup
key", it might be covered under the "activation material"
which refers to "passwords, PINs and/or tokens (i.e. m of n
tokens) needed to access and/or activate the CA key on the
secure cryptographic module", but in reality you cannot
activate/access the CA private key if you only have the
decryption "backup key". IMHO, this type of "transportation"
is not fully covered under the 4.9 "CA Key Transportation"
section. If you consider further splitting of the activation
material using transforms like "<a moz-do-not-send="true"
href="https://en.wikipedia.org/wiki/All-or-nothing_transform">all-or-nothing</a>",
then you might want to allow cases where you don't need
multi-person control to constantly monitor these fragments
during transit. Of course, these fragments are never
transferred altogether, they should be considered "CA private
key material" that will require "activation material" to be
usable again.<br>
</li>
</ol>
Section 4.10 "CA Key Migration" seems to cover all critical steps.<br>
<br>
Hope this helps.<br>
Dimitris.<br>
<br>
<br>
On 23/6/2017 8:22 μμ, Jeff Ward via Public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:BY1PR0301MB084070131BD72017596E59B6D0D80@BY1PR0301MB0840.namprd03.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Trebuchet MS";
panose-1:2 11 6 3 2 2 2 2 2 4;}
@font-face
{font-family:trebuchet;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">As mentioned during our presentation at the
face-to-face meeting in Berlin, the WebTrust for Certification
Authorities Task Force has proposed new criteria be added to
WebTrust for Certification Authorities to be included in a new
version, 2.1. The changes are to cover event based activities
that are not currently addressed in the WebTrust criteria and
would add consistency in their treatment for auditors and CAs
alike. Since they are event based, they should not cause any
concerns for CAs when they become effective. Specifically,
the added criteria relate to the following:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">4.5 CA Key Archival and Destruction<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">4.9 CA Key Transportation<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">4.10 CA Key Migration<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please see the attached document. It is in
a tracked changes format so you can see what new criteria we
are suggesting in 4.5, as well as the addition of sections 4.9
and 4.10. The criteria that are included today are based on
ISO 21188. Since these proposed changes are not part of that
standard, we need a public group (CABF qualifies as such) to
approve the criteria.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We would appreciate the CABF’s review and
balloting to approve these changes as soon as possible so we
can release the new version, 2.1.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please let me know if you have any
questions.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">On behalf of the WebTrust for Certification
Authorities Task Force,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Jeff Ward<o:p></o:p></p>
<p class="MsoNormal">Chairman <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Trebuchet
MS",sans-serif;color:#404040">Jeff Ward, CPA, CGMA,
CITP, CISA, CISSP, CEH</span></b><span
style="font-size:10.0pt;font-family:"Trebuchet
MS",sans-serif;color:#404040"><br>
Office Managing Partner & National Managing Partner
Third Party Attestation Services<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Trebuchet
MS",sans-serif;color:#404040">(SOC/WebTrust/Cybersecurity)<br>
314-889-1220 (Direct) 347-1220 (Internal)<br>
314-889-1221 (Fax)</span><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
</span><span
style="font-size:10.0pt;font-family:"Trebuchet
MS",sans-serif;color:#ED1A3B"><a
href="mailto:jfward@bdo.com" moz-do-not-send="true"><span
style="color:#ED1A3B">jfward@bdo.com</span></a></span><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
<br>
</span><b><span
style="font-size:10.0pt;font-family:"Trebuchet
MS",sans-serif;color:#404040">BDO</span></b><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
</span><span
style="font-size:10.0pt;font-family:"Trebuchet
MS",sans-serif;color:#404040">101 S Hanley Rd, #800<br>
St. Louis, MO 63105 <br>
UNITED STATES<br>
314-889-1100</span><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
</span><u><span
style="font-size:10.0pt;font-family:"Trebuchet
MS",sans-serif;color:#ED1A3B"><a
href="http://www.bdo.com" moz-do-not-send="true"><span
style="color:#ED1A3B">www.bdo.com</span></a></span></u><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
<br>
</span><i><span
style="font-size:10.0pt;font-family:trebuchet;color:green">Please
consider the environment before printing this e-mail</span></i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
<br>
</span><span style="font-size:12.0pt;font-family:"Times
New Roman",serif"><img id="_x0000_i1025"
src="file:///C:%5CWindows%5CSupport%5COutlookSignatureDesigner%5CIcons%5CBDO%20Award.png"
alt="BDOC Networking Award" moz-do-not-send="true"
height="112" width="105" border="0"></span><o:p></o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a></pre>
</blockquote>
<br>
</body>
</html>