<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Trebuchet MS";
panose-1:2 11 6 3 2 2 2 2 2 4;}
@font-face
{font-family:trebuchet;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Trebuchet MS",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Trebuchet MS",sans-serif;color:windowtext">Your comments on WebTrust for RA Dimitris are accurate. No new criteria were created. We did in fact extract RA type activities in the other WebTrust
services and incorporated them into a new standalone version.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Trebuchet MS",sans-serif;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#404040">Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH</span></b><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#404040"><br>
National Managing Partner Third Party Attestation (SOC/WebTrust/Cybersecurity)<br>
314-889-1220 (Direct) 347-1220 (Internal)<br>
314-387-0189 (Mobile)</span><span style="color:windowtext"><br>
</span><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#ED1A3B"><a href="mailto:jward@bdo.com"><span style="color:#ED1A3B">jward@bdo.com</span></a></span><span style="color:windowtext"><br>
<br>
</span><b><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#404040">BDO</span></b><span style="color:windowtext"><br>
</span><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#404040">101 S Hanley Rd, Suite 800<br>
St. Louis, MO 63105 <br>
UNITED STATES<br>
314-889-1100</span><span style="color:windowtext"><br>
</span><u><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#ED1A3B"><a href="http://www.bdo.com"><span style="color:#ED1A3B">www.bdo.com</span></a></span></u><span style="color:windowtext"><br>
<br>
</span><i><span style="font-size:10.0pt;font-family:trebuchet;color:green">Please consider the environment before printing this e-mail</span></i><span style="font-size:10.5pt;font-family:"Trebuchet MS",sans-serif;color:windowtext"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span style="color:windowtext"> Public <public-bounces@cabforum.org>
<b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA) via Public<br>
<b>Sent:</b> Tuesday, June 18, 2019 2:28 PM<br>
<b>To:</b> CA/Browser Forum Public Discussion List <public@cabforum.org><br>
<b>Subject:</b> Re: [cabfpub] Audits and RAs<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><em><b><span style="font-size:9.0pt;font-family:"Trebuchet MS",sans-serif;color:darkviolet">Attention: This email was sent from someone outside of BDO USA. Always use caution when opening attachments or clicking
links from unknown senders or when receiving unexpected emails.</span></b></em><o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
I believe we discussed this at the CA/B Forum meeting in Cupertino where it was explained that an RA can be audited with the existing ETSI/WebTrust criteria by only listing the necessary criteria relevant to RA operations. So, for the ETSI example, an RA would
be audited against ETSI EN 319 411-1 by listing the most of the requirements of 319 401 and the relevant sections of 411-1 for RA operations. This scope would be clearly indicated in the attestation letter, allowing the CA to have an independent auditor's
opinion of the RA operations of a delegated third party.<br>
<br>
I believe WebTrust for RAs has made a great job of defining the relevant criteria and separating them in a different document. ETSI has done something similar by identifying "service components" in EN 319 411-1 (OVR, REG, REV, DIS, and so on).<br>
<br>
<br>
Dimitris.<o:p></o:p></p>
<div>
<p class="MsoNormal">On 18/6/2019 8:51 μ.μ., Ryan Sleevi via Public wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Tue, Jun 18, 2019 at 1:35 PM Jeremy Rowley via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I think I heard the WebTrust auditors say last week that they have finished or nearly finished the WebTrust for RAs criteria. The language from Section 8.4 of the guidelines reads:<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">“For Delegated Third Parties which are not Enterprise RAs,, then the CA SHALL obtain an audit report, issued under the auditing standards that underlie the accepted audit schemes
found in Section 8.1, that provides an opinion whether the Delegated Third Party’s performance complies with either the Delegated Third Party’s practice statement or the CA’s Certificate Policy and/or Certification Practice Statement. If the opinion is that
the Delegated Third Party does not comply, then the CA SHALL not allow the Delegated Third Party to continue performing delegated functions.”<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">We know some CAs use RAs that are not audited under WebTrust/ETSI because “there is no appropriate audit standard”. Now that there is an audit standards, it seems to me this criteria
goes into effect immediately and any RA not audited would cause the CA to be out of compliance with the BRs. No additional ballot required since the concept is already baked into the BRs.
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Anyone have a different interpretation? If not, when is the exact date that the audits should be done? Already?<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">TL;DR: Don't worry. I don't think there's an impending doom date.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Officially, Chrome is not planning to immediately enforce the WebTrust for RAs audit, and is still evaluating the most effective means to use and consume this.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">For best results, however, don't use RAs ;)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Here's the alternative interpretation I'll over you:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The "auditing standards that underlie the accepted audit criteria" are, in the case of WebTrust, are SSAE 18 (US), CSAE 3000 - 3001 (CA), and ISAE 3000 (elsewhere), with potentially jurisidiction-specific (self-?)regulatory requirements
or modifications, similar to the US/CA harmonization with IFAC.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The "auditing standards that underlie the accepted audit criteria" are, for ETSI EN 319 411-1 and ETSI EN 319 403, either (depending on your perspective of "standard"), going to be seen as:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> a) ETSI EN 319 411-1 / ETSI EN 319 403<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> b) ISO/IEC 17065<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The former takes the view that the ETSI ESI documents are themselves the standards for auditing, in that they define a set of standards appropriate for "an" audit scheme, although absent the eIDAS Regulation lacks any normative guidance
about who the defining authority is for the appropriate auditor (compared to IFAC and its constituent organizations, which does).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The latter takes the view that the ETSI ESI documents are themselves adopted from the ISO/IEC standards and guidance on the development of certification schemes (which covers a broad scheme of activities), and that any scheme derived from
the principles of 17065 is suitably empowered. It, similarly, lacks the guidance as to who can perform the assessments, since that is the role of the scheme operator (e.g. EU in the case of eIDAS)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The "nice" thing about these interpretations is that for CAs that are concerned about being beyond reproach, but still make the (unfortunate) choice to make use of delegated third parties, they can read these requirements as using the relevant
criteria from WebTrust or ETSI, under the existing supervisory scheme, and argue compliance. CAs that don't like to/don't want to know what their RAs are doing, and aren't as concerned about security, could reasonably argue that the applicability of the underlying
standard means the CA defines what the expectations are (for example, an "Agreed Upon Procedures" report - which I'm sure Don and Jeff will jump in mentioning the CSAE limitations there), and then allow 'anyone' to perform that audit, modulo the IFAC standards
with respect to professional licensure.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fpublic&data=02%7C01%7Cjward%40bdo.com%7C06ce049c9058450a0dac08d6f4232457%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636964829104531606&sdata=TRTwBxY8KX21izp302b5%2BNPsWq29N3f4D0odkcBM2%2Bw%3D&reserved=0">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<br>
<br>
<span style="FONT-SIZE: 10pt; FONT-FAMILY: "Calibri","sans-serif"; COLOR: black; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><strong><em>BDO
USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms.
<br>
<br>
BDO is the brand name for the BDO network and for each of the BDO Member Firms.<br>
<br>
IMPORTANT NOTICES<br>
<br>
The contents of this email and any attachments to it may contain privileged and confidential information from BDO USA, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified
that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to
this e-mail, if any, must be immediately returned to BDO USA, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies hereof. If you have received this e-mail
in error, please notify BDO USA, LLP by e-mail immediately.</em></strong></span><br>
<br>
</body>
</html>