<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 29/1/2019 4:56 μ.μ., Ryan Sleevi
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CACvaWvaPB2MotfuHJxs1N9saftmnp2WFrN4KvW8bgDM3sBhedA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Jan 29, 2019 at 2:18
AM Dimitris Zacharopoulos <<a
href="mailto:jimmy@it.auth.gr" moz-do-not-send="true">jimmy@it.auth.gr</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"> <br>
<br>
<div class="gmail-m_-3729503571974744775moz-cite-prefix">On
28/1/2019 8:48 μ.μ., Ryan Sleevi via Public wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr"
class="gmail-m_-3729503571974744775gmail_attr">On
Thu, Jan 24, 2019 at 2:30 PM Dimitris
Zacharopoulos (HARICA) via Public <<a
href="mailto:public@cabforum.org"
target="_blank" moz-do-not-send="true">public@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"> <br>
<br>
<div
class="gmail-m_-3729503571974744775gmail-m_7363109640286725785moz-cite-prefix">On
24/1/2019 8:16 μ.μ., Wayne Thayer via Public
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div>On today's call we discussed a number
of changes to the bylaws aimed at
clarifying the rules for membership. The
proposal for section 2.1(a)(1) resulting
from today's discussion is:</div>
<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Certificate
Issuer: The member organization operates
a certification authority that has a
publicly-available audit report or
attestation statement that meets the
following requirements:<br>
* Is based on the full, current version
of the WebTrust for CAs, ETSI EN 319
411-1 , or ETSI EN 319 411-2 audit
criteria<br>
</blockquote>
</div>
</div>
</blockquote>
</div>
</blockquote>
<div>Using the example reports for discussion ( <a
href="http://www.webtrust.org/practitioner-qualifications/docs/item85808.pdf"
target="_blank" moz-do-not-send="true">http://www.webtrust.org/practitioner-qualifications/docs/item85808.pdf</a> )</div>
<div><br>
</div>
<div>If a CA does not escrow CA keys, does not
provide subscriber key generation services, or
suspension services, does that count as being
based on the "full, current version"? (Page 11,
paragraph 2)</div>
</div>
</div>
</blockquote>
<br>
I think so, yes. Based on the exact CA operations, the
exact audit scope is determined. The Forum has set the
WebTrust for CAs and ETSI EN 319 411-1 as an absolute
minimum that includes attestation of the existence of
reasonable organizational and technical controls. If you
recall, I had proposed that for the SCWG we should also
require WebTrust for CAs Baseline and NetSec because they
are already included in ETSI EN 319 411-1 and are more
suitable for SSL/TLS Certificates. If a CA obtains a
WebTrust for CAs or ETSI EN 319 411-1 audit report, it
means that the core CA services are there and are
operational.<br>
</div>
</blockquote>
<div><br>
</div>
<div>I don't believe this is a correct understanding. By
highlighting that it's acceptable to carve out the scope,
you're seemingly acknowledging that it's acceptable to take
subsets of the audit criteria. For example, if I provided an
audit for the physical security controls of my data center
against the WebTrust for CAs criteria, is that sufficient
for membership as a CA?</div>
<div><br>
</div>
<div>This isn't theoretical; at least one CA member provides
such audits, as they use such a third-party datacenter. If
the datacenter provided just their report, would they
qualify? If they don't, then what is the property that we're
trying to achieve, and why, so that we can do it?</div>
</div>
</div>
</blockquote>
<br>
Would this WebTrust for CAs audit report be sufficient for
acceptance in a Root Program? I don't think so. All these years,
CA/B Forum Members have been accepted by providing WebTrust for CAs
and ETSI reports that include core PKI procedures. What you describe
is probably an exception and we can decide how to handle this
exception if in fact we ever receive an application for
participation in a WG with a WebTrust for CAs audit report scoping
just the physical security of a Datacenter. I'm hope that CA had
other WebTrust for CAs reports for their other operations.<br>
<br>
<blockquote type="cite"
cite="mid:CACvaWvaPB2MotfuHJxs1N9saftmnp2WFrN4KvW8bgDM3sBhedA@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"> Root programs have audit
requirements exceptions and this applies equally to
Microsoft and Mozilla. I don't disagree to being more
inclusive but I believe the Forum must have objective and
specific requirements based on some international
standards and not just government regulations. <br>
</div>
</blockquote>
<div><br>
</div>
<div>Then by this goal, I don't believe our current membership
criteria meet this. For example, a qualified auditor is
determined by... government regulations in the case of ETSI.
Does that mean we should exclude ETSI audits from the scope?
Or should we allow CABs that are not accredited by the NABs?</div>
</div>
</div>
</blockquote>
<br>
This doesn't make a lot of sense. NABs are not Supervisory Bodies.
It's different. I was referring to government audit schemes for CAs
where a certain government unit audits a CA under national criteria.
<br>
<br>
<blockquote type="cite"
cite="mid:CACvaWvaPB2MotfuHJxs1N9saftmnp2WFrN4KvW8bgDM3sBhedA@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<div><br>
</div>
<div>I realize it may seem like I'm being difficult, but I
think there's a core piece missing, which is trying to
understand why it's important for some members to exclude
some other CAs that have had long-standing operations. This
is particularly relevant for the discussion of the S/MIME
charter, in which there is significant and extant set of
'trusted' certificates, in a variety of software, that does
not meet the criteria for participation. They would be
excluded from participating in engaging or drafting the new
criteria, by virtue of the Forum membership criteria, and I
think that's something we should be thinking very carefully
about and articulating what properties we expect of CAs and
why.</div>
</div>
</div>
</blockquote>
<br>
IMHO we need audit requirements that have undergone enough scrutiny
and quality assurance. International standards like ISO, WebTrust
and ETSI have such a process which provides better assurance for the
audit outcome. That's my personal view. We can always listen to
other schemes and we would welcome input from governments (as
Interested Parties) if they choose to participate. If these schemes
became so useful and comparable with existing international schemes,
then the S/MIME Working Group could decide to add those schemes in
the criteria for Membership and possibly in the produced Guidelines.<br>
<br>
<br>
<blockquote type="cite"
cite="mid:CACvaWvaPB2MotfuHJxs1N9saftmnp2WFrN4KvW8bgDM3sBhedA@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex"> *
Covers a period of at least 60 days<br>
</blockquote>
</div>
</div>
</blockquote>
</div>
</blockquote>
<div>I'm curious for feedback from the ETSI folks,
but perhaps a more inclusive definition would be</div>
<div>- "Reports on the operational effectiveness of
controls for a historic period of at least 60
days"</div>
<div><br>
</div>
<div>The context being that ETSI is a certification
scheme, but as part of that certification, the CAB
"may" ("should") examine the historic evidence for
some period of time. 7.9 of 319 403 only requires
"since the previous audit"</div>
</div>
</div>
</blockquote>
<br>
I am not representing ETSI or ACAB'c but if there are
concerns with this requirement we can solve this issue
using the language proposed by Wayne "Covers a period of
at least 60 days". I would use "Covers a period of
operations of at least 60 days".<br>
</div>
</blockquote>
<div><br>
</div>
<div>I'm not sure what this is a response to. I was pointing
out the issues with the language proposed by Wayne and why
it's insufficient, so it's not clear to me how you've
resolved that.</div>
</div>
</div>
</blockquote>
<br>
This was in response to an audit that covers at least 60 days of
operations. You argued that the ETSI scheme doesn't specifically
mandate a minimum audit period before issuing an audit report. In
practice, CABs use 60-90 days but it's not written in ETSI EN 319
403. Wayne's proposal attempts to add this in the requirements so
it's clear that we are always talking about a period-of-time audit
report for WebTrust and ETSI.<br>
<br>
I hope it's clearer now.<br>
Dimitris.<br>
</body>
</html>