<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 28/1/2019 8:48 μ.μ., Ryan Sleevi via
Public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CACvaWvZeUHPGUBP3qmzJXJBLiJbz3jbFPkzMPO0ySZ6GDEqOFA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Jan 24, 2019 at 2:30
PM Dimitris Zacharopoulos (HARICA) via Public <<a
href="mailto:public@cabforum.org" moz-do-not-send="true">public@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"> <br>
<br>
<div class="gmail-m_7363109640286725785moz-cite-prefix">On
24/1/2019 8:16 μ.μ., Wayne Thayer via Public wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div>On today's call we discussed a number of
changes to the bylaws aimed at clarifying the
rules for membership. The proposal for section
2.1(a)(1) resulting from today's discussion is:</div>
<br>
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Certificate
Issuer: The member organization operates a
certification authority that has a
publicly-available audit report or attestation
statement that meets the following requirements:<br>
* Is based on the full, current version of the
WebTrust for CAs, ETSI EN 319 411-1 , or ETSI EN
319 411-2 audit criteria<br>
</blockquote>
</div>
</div>
</blockquote>
</div>
</blockquote>
<div>Using the example reports for discussion ( <a
href="http://www.webtrust.org/practitioner-qualifications/docs/item85808.pdf"
moz-do-not-send="true">http://www.webtrust.org/practitioner-qualifications/docs/item85808.pdf</a> )</div>
<div><br>
</div>
<div>If a CA does not escrow CA keys, does not provide
subscriber key generation services, or suspension services,
does that count as being based on the "full, current
version"? (Page 11, paragraph 2)</div>
</div>
</div>
</blockquote>
<br>
I think so, yes. Based on the exact CA operations, the exact audit
scope is determined. The Forum has set the WebTrust for CAs and ETSI
EN 319 411-1 as an absolute minimum that includes attestation of the
existence of reasonable organizational and technical controls. If
you recall, I had proposed that for the SCWG we should also require
WebTrust for CAs Baseline and NetSec because they are already
included in ETSI EN 319 411-1 and are more suitable for SSL/TLS
Certificates. If a CA obtains a WebTrust for CAs or ETSI EN 319
411-1 audit report, it means that the core CA services are there and
are operational.<br>
<br>
Root programs have audit requirements exceptions and this applies
equally to Microsoft and Mozilla. I don't disagree to being more
inclusive but I believe the Forum must have objective and specific
requirements based on some international standards and not just
government regulations. <br>
<br>
<br>
<blockquote type="cite"
cite="mid:CACvaWvZeUHPGUBP3qmzJXJBLiJbz3jbFPkzMPO0ySZ6GDEqOFA@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex"> * Covers a
period of at least 60 days<br>
</blockquote>
</div>
</div>
</blockquote>
</div>
</blockquote>
<div>I'm curious for feedback from the ETSI folks, but perhaps
a more inclusive definition would be</div>
<div>- "Reports on the operational effectiveness of controls
for a historic period of at least 60 days"</div>
<div><br>
</div>
<div>The context being that ETSI is a certification scheme,
but as part of that certification, the CAB "may" ("should")
examine the historic evidence for some period of time. 7.9
of 319 403 only requires "since the previous audit"</div>
</div>
</div>
</blockquote>
<br>
I am not representing ETSI or ACAB'c but if there are concerns with
this requirement we can solve this issue using the language proposed
by Wayne "Covers a period of at least 60 days". I would use "Covers
a period of operations of at least 60 days".<br>
<br>
<blockquote type="cite"
cite="mid:CACvaWvZeUHPGUBP3qmzJXJBLiJbz3jbFPkzMPO0ySZ6GDEqOFA@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex"> * Covers a
period that ends within the past 15 months<br>
</blockquote>
</div>
</div>
</blockquote>
</div>
</blockquote>
<div>This may also be resting on the BR definition of Audit
Period. I can see similar ambiguities arising with respect
to ETSI and that its certification decisions last two years,
not one, thus it might cause a CA to believe that they have
up to three years from first completing their audit (that
is, if the letter is issued at T=2 years, covering T=0 to
T=2, and is valid to T=4 years, then the CA may believe it's
covered until T=5 years and 3 months)</div>
<div><br>
</div>
<div>There's also the potential of surveillance audits
conducted over specific issues being resolved, without being
a full recertification (e.g. if the CAB classified it as a
minor non-conformity)</div>
<div><br>
</div>
<div>"With no more than 27 months having elapsed since the
beginning of the reported-on period and no more than 15
months since the end of the reported-on period"</div>
<div><br>
</div>
<div>It's a mouthful, but perhaps there's a more concise way
to capture that unambiguously.</div>
</div>
</div>
</blockquote>
<br>
AFAIK, Microsoft still requires annual full audits even for non-SSL
certificate issuance. In any case, I prefer a mouthful than an
ambiguous requirement.<br>
<br>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:CACvaWvZeUHPGUBP3qmzJXJBLiJbz3jbFPkzMPO0ySZ6GDEqOFA@mail.gmail.com"><br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org" moz-do-not-send="true">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public" moz-do-not-send="true">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>