<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Trebuchet MS";
panose-1:2 11 6 3 2 2 2 2 2 4;}
@font-face
{font-family:trebuchet;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Trebuchet MS",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:719397433;
mso-list-template-ids:1226883316;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:959535752;
mso-list-type:hybrid;
mso-list-template-ids:-92772556 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Trebuchet MS",sans-serif">From my auditor perspective, I can tell you I field a lot of calls from CAs and auditors alike regarding external RAs / Delegated Third Parties. Reading through this
chain has been helpful. I do believe clarification would be helpful as well, and do not believe it would be that difficult to add. As you know and would expect, as part of the independent audit, auditors ensure that the CA is performing the 3% test as required
and also identify and examine the monitoring controls performed by the CA over external RAs. The auditor also makes independent tests in addition to the CA’s 3% test. As mentioned below, there is no confusion with audit requirements of Enterprise RAs as
they are part of the scope of the CAs audit. The root for the confusion I believe is that there is no consistency on how an External RA (not Enterprise) operates and how the lines get blurred on what would be considered classic CA activities with RA activities
that the RA performs. That is where I would suggest the clarification be made.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Trebuchet MS",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Trebuchet MS",sans-serif">Also, and as a reminder, the WebTrust Task Force has its new service, WebTrust for Registration Authorities, in final draft. If anyone would like to see the final draft,
just send me a note and I will be happy to send it to you for review and feedback. We plan to finalize this at the beginning of calendar 2019.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Trebuchet MS",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Trebuchet MS",sans-serif">Thanks.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Trebuchet MS",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Trebuchet MS",sans-serif">Jeff<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Trebuchet MS",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#404040">Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH</span></b><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#404040"><br>
National Managing Partner Third Party Attestation (SOC/WebTrust/Cybersecurity)<br>
314-889-1220 (Direct) 347-1220 (Internal)<br>
314-387-0189 (Mobile)</span><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
</span><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#ED1A3B"><a href="mailto:jward@bdo.com"><span style="color:#ED1A3B">jward@bdo.com</span></a></span><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
<br>
</span><b><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#404040">BDO</span></b><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
</span><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#404040">101 S Hanley Rd, Suite 800<br>
St. Louis, MO 63105 <br>
UNITED STATES<br>
314-889-1100</span><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
</span><u><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#ED1A3B"><a href="https://www.bdo.com"><span style="color:#ED1A3B">www.bdo.com</span></a></span></u><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
<br>
</span><i><span style="font-size:10.0pt;font-family:trebuchet;color:green">Please consider the environment before printing this e-mail</span></i><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
<br>
</span><span style="font-size:10.5pt;font-family:"Trebuchet MS",sans-serif"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Public [mailto:public-bounces@cabforum.org] <b>
On Behalf Of </b>Jeremy Rowley via Public<br>
<b>Sent:</b> Wednesday, November 7, 2018 1:36 PM<br>
<b>To:</b> Ryan Sleevi <sleevi@google.com>; CABFPub <public@cabforum.org><br>
<b>Subject:</b> Re: [cabfpub] Audit of RAs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><em><b><span style="font-size:9.0pt;font-family:"Trebuchet MS",sans-serif;color:orangered">Attention: This email was sent from someone outside of BDO USA. Always use caution when opening attachments or clicking
links from unknown senders or when receiving unexpected emails.</span></b></em><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><o:p></o:p></span></p>
<div>
<p class="MsoNormal">Thanks Ryan. I think your analysis reflects my own thoughts. Particularly I appreciate you bringing up this point because it’s the crux of the argument:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">- DTPs are defined in Section 1.6.1 - any function or requirement under the BRs that is performed by an entity not in scope of the CA's audit<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The difficulty is determining whether something is in the scope of the CA’s audit. For example, CAs generally fall along the following lines with respect to third party delegation:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 lfo3">
<![if !supportLists]><span style="mso-list:Ignore">1)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>No audit required of DTP because they audit criteria doesn’t exist (which is the argument below)
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 lfo3">
<![if !supportLists]><span style="mso-list:Ignore">2)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>No audit required if the DTP provides the information to the CA in a repository because the information rests with the CA at this point. No requirement for the CA to review the documentation, but the document is available to the auditor.
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo3">
<![if !supportLists]><span style="mso-list:Ignore">a.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Relies on the interpretation that only certificates are covered by the audit, not the party gathering information or providing the services<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo3">
<![if !supportLists]><span style="mso-list:Ignore">b.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>DTP is considered within the CA audit because the information is covered by the audit<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 lfo3">
<![if !supportLists]><span style="mso-list:Ignore">3)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>No audit required if the DTP provides the information and the CA reviews the information
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo3">
<![if !supportLists]><span style="mso-list:Ignore">a.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Still ignores the DTP infrastructure<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo3">
<![if !supportLists]><span style="mso-list:Ignore">b.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>CA is governing use of the data so the DTP is already in scope of the CA audit<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 lfo3">
<![if !supportLists]><span style="mso-list:Ignore">4)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>No audit required if the DTP gathers information and the CA independently confirms the information or operates the service
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo3">
<![if !supportLists]><span style="mso-list:Ignore">a.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Full disclosure, this is where I’ve always thought the audit requirement stopped<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo3">
<![if !supportLists]><span style="mso-list:Ignore">b.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>The CA is performing al operations. The DTP is just providing information related to the request.
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 lfo3">
<![if !supportLists]><span style="mso-list:Ignore">5)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Audits required of all DTPs if they are providing any information or services required under the BRs
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo3">
<![if !supportLists]><span style="mso-list:Ignore">a.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>This one is more problematic as it starts to include data sources in the CA’s audit<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo3">
<![if !supportLists]><span style="mso-list:Ignore">b.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Could this also include the cert requester? <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Despite the argument I presented below, the entire question relies on underlying confusion in the DTP definition (Section 1.6.1) and when exactly a DTP applies because their activities are “within the scope of the CA audits”.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>From:</b> Ryan Sleevi <<a href="mailto:sleevi@google.com">sleevi@google.com</a>>
<br>
<b>Sent:</b> Wednesday, November 7, 2018 11:54 AM<br>
<b>To:</b> Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>>; CABFPub <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>
<b>Subject:</b> Re: [cabfpub] Audit of RAs<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Wed, Nov 7, 2018 at 1:04 PM Jeremy Rowley via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I would like to discuss whether unaudited Delegated Third Parties are permitted under the BRs. My reading of the BRs (combined with what happened to Symantec) is that unaudited
RAs are, at least mildly, frowned upon by the browsers. However, I think the BRs may be unclear on this point which is leading to an increased delegation of responsibilities to unaudited third parties. If there is confusion, could we pass a ballot to rule
one way or another?<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I think in order to get a ballot, we need to make sure we understand what is causing people's confusion - so this will presumably require those advocating such interpretations (whether CAs or auditors) to clarify their positions.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Section 8.1 – Certificates Only<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">“Certificates that are capable of being used to issue new certificates MUST either be Technically Constrained in line with section 7.1.5 and audited in line with section 8.7 only,
or Unconstrained and fully audited in line with all remaining requirements from this section. A Certificate is deemed as capable of being used to issue new certificates if it contains an X.509v3 basicConstraints extension, with the cA boolean set to true and
is therefore by definition a Root CA Certificate or a Subordinate CA Certificate”<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Note that certificates all covered by the audit, not Delegated Third Parties. The audit for an R/A is “error: no such audit exists”. <o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">So, I think framing it like this naturally leads to confusion. Let's not speak about RAs yet - hopefully there's clear consensus that certificates (including roots) need to be audited or technically constrained. Audited includes all the
performance of activities under the rest of the BRs.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">There's nothing in here to support 'excluding' any activities. This is just a basic statement about what's required. A CA issues certificates, everything that causes issuance must be audited - including that of third-parties.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Section 8.4 – Inapplicable Audit Schemes
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">“For Delegated Third Parties which are not Enterprise RAs,, then the CA SHALL obtain an audit report, issued under the auditing standards that underlie the accepted audit schemes
found in Section 8.1, that provides an opinion whether the Delegated Third Party’s performance complies with either the Delegated Third Party’s practice statement or the CA’s Certificate Policy and/or Certification Practice Statement. If the opinion is that
the Delegated Third Party does not comply, then the CA SHALL not allow the Delegated Third Party to continue performing delegated functions.” <o:p></o:p></p>
</div>
</div>
</blockquote>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Again, the issue is the lack of a audit of the RA, which amounts to the CA giving a statement to the auditor that the RA totally complies with the CA policies. No real check because
the auditor is only looking at the CA, not the RA. Also, the section refers to 8.1 which covers certificates, not operations or process. See the previous argument that there is no audit for RAs, meaning the only check on the RA is the random sample of certificates
reviewed by the auditor.<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This is also not a defensible interpretation. The requirement is that the CA shall obtain an audit report, for the DTP, using the same standards as the audit schemes from 8.1.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">There's no exceptions here in this 8.4. Through the reference to 8.1, it's also not defensible to suggest that the CA can produce the audit report themselves; they're required to get something using the same standards.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Section 8.7 – Overriding the Audit
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">This is where the primary main control and where the override comes from:<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Except for Delegated Third Parties that undergo an annual audit that meets the criteria specified in Section 8.1, the CA SHALL strictly control the service quality of Certificates
issued or containing information verified by a Delegated Third Party by having a Validation Specialist employed by the CA perform ongoing quarterly audits against a randomly selected sample of at least the greater of one certificate or three percent of the
Certificates verified by the Delegated Third Party in the period beginning immediately after the last sample was taken. The CA SHALL review each Delegated Third Party’s practices and procedures to ensure that the Delegated Third Party is in compliance with
these Requirements and the relevant Certificate Policy and/or Certification Practice Statemen<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">So there is a case where Delegated Third Parties are not audited under 8.1. What are these? The only thing that makes sense are RAs. This means the CA can take full ownership of
all audit and communication to the RA as long as they look at 3% (and provide the certs to the auditor of they are included in the audit by the auditor) and review the practices and procedures. This places all trust in the CA to ensure these entities are compliance.<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">No. This is not correct either. Enterprise RAs are the only DTPs that are not undergoing an annual audit under Section 8.1. Enterprise RAs are specifically defined to be technically constrained in their issuance. If they are not technically
constrained, they are not Enterprise RAs.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">1.3.2 – The Exception<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">This is where the exception comes into play:<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">With the exception of sections 3.2.2.4 and 3.2.2.5, the CA MAY delegate the performance of all, or any part, of Section 3.2 requirements to a Delegated Third Party, provided that
the process as a whole fulfills all of the requirements of Section 3.2. Before the CA authorizes a Delegated Third Party to perform a delegated function, the CA SHALL contractually require the Delegated Third Party to: (1) Meet the qualification requirements
of Section 5.3.1, when applicable to the delegated function; (2) Retain documentation in accordance with Section 5.5.2; (3) Abide by the other provisions of these Requirements that are applicable to the delegated function; and (4) Comply with (a) the CA’s
Certificate Policy/Certification Practice Statement or (b) the Delegated Third Party’s practice statement that the CA has verified complies with these Requirements.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><br>
Under this section, you can bind the RA by contract to meet the policies and procedures of the CA (which satisfies the CA’s requirements under 8.7 to ensure the delegated third party is operating in accordance with the CA’s CPS)<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">No. This is not an alternative to or an exception - this is a set of *additional* requirements beyond the audit. This supplements the auditing process by ensuring that the activities of the DTP are consistent with the CA's CP/CPS, and separately,
an audit to ensure they're being performed correctly.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">That’s the logic presented. Ie – 8.1 requires an audit, but the CA can perform the audit. The CA performs the audit by simply putting a contract in place that the RA will abide
by all requirements. The CA still has to audit a random sample, but you can delegate that to the Delegated Third Party as well….
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Thoughts? Can we create a clear statement on whether delegated third parties are audited or unaudited?<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I appreciate you raising this, because this would be a pretty irresponsible read.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Let's set up a hierarchy of requirements.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- DTPs are defined in Section 1.6.1 - any function or requirement under the BRs that is performed by an entity not in scope of the CA's audit<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- Enterprise RA - Defined in Section 1.6.1, an entity other than the CA that authorizes certificates. The ability to use such entities is constrained/defined in Section 1.3.2 in terms of when they can be used<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- CAs may use DTPs to perform Section 3.2 activities if-and-only-if they meet the requirements enumerated in Section 1.3.2.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- CAs may use DTPs to perform (any function) if-and-only-if they meet the requirements enumerated in Section 1.3.2<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- CAs using DTPs MUST ensure their DTPs comply with Section 4.2.1 if delegating part of 4.2.1. This requires the CA *also* validate consistency with part of 4.2.1; this does not replace, this is in addition to any other requirements.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- CAs using DTPs MUST meet the requirements of Section 5.3.7. This is in addition to any other requirements.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- Section 8.4 requires CAs using DTPs (except Enterprise RAs, which are only performing a single function, per above) to obtain audits consistent with Section 8.1<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">If I understand the argument "you" (really, others) are making, it's that Section 8.1 doesn't define audit schemes like ETSI or WebTrust, and only discusses CA certificates, therefore, Section 8.4 doesn't really require anything (because
8.1 is empty re: DTPs)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This argument seems based on the references to Section 8.1. If we look through the document history, we can see this is an artifact of a bad translation to the RFC 3647 format; the version prior to this - <a href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.org%2Fwp-content%2Fuploads%2FBRv1.2.5.pdf&data=02%7C01%7Cjward%40bdo.com%7C81bfb3110b124c6122bc08d644e839e5%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636772161535922811&sdata=%2F82zE18IcCypF%2BsO6bRvJ%2Fog99A84McFii2gzfT9z%2F8%3D&reserved=0">https://cabforum.org/wp-content/uploads/BRv1.2.5.pdf</a>
- put the requirements differently. Namely, both referenced Section 17 (the overall section) rather than the specific section. Later on, the reference to schemes enumerated in 17.1 was accurate, as 17.1 contained what is now contained in Section 8.2 - that
is, the specific enumeration of schemes.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">"Correcting" this mistake seems to be aligning the BRs with what they mandated prior to the 3647 conversion - that is, fixing the reference to "Section 8.1" to read either "Section 8" or "Section 8.2" as appropriate.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">However, getting to this point involves ignoring the language and how it came to be.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Certainly, however, the intent - as captured from those very first versions of the BRs - seems to have been to ensure that DTPs - which includes any (non-Enterprise) RAs - and would include all information management specialists, document
verifiers, or any other party for which controls are being delegated to - is being audited using the same standards. If they're not performing certain functions (e.g. an RA does not direct issuance or sign materials), such non-performance would be clearly
indicated on the report, while all activities they did perform - and their other protections - would be assessed.<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<br>
<span style="FONT-SIZE: 10pt; FONT-FAMILY: "Calibri","sans-serif"; COLOR: black; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><strong><em>BDO
USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms.
<br>
<br>
BDO is the brand name for the BDO network and for each of the BDO Member Firms.<br>
<br>
IMPORTANT NOTICES<br>
<br>
The contents of this email and any attachments to it may contain privileged and confidential information from BDO USA, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified
that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to
this e-mail, if any, must be immediately returned to BDO USA, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies hereof. If you have received this e-mail
in error, please notify BDO USA, LLP by e-mail immediately.</em></strong></span><br>
<br>
</body>
</html>