<div dir="ltr"><span id="m_-6008560847519968577m_7111256940033919337gmail-docs-internal-guid-63e552b3-7fff-4e0b-3ffa-2c8a1f38a464"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:12pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Hi SCWG:</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:12pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The following document is the result of work by the Cloud Services subgroup as a follow-up to SCWG subgroup discussions during the </span><a href="https://wiki.cabforum.org/meeting_53_minutes#cloud_service_providers_discussion" style="text-decoration-line:none" target="_blank"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">F2F on Tuesday, 15-June-2021</span></a><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">. We welcome your comments and suggestions within the next two weeks. </span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:12pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Many CAs now use cloud services to perform data processing, storage, and distribution operations. The Baseline Requirements and the Network and Certificate System Security Requirements (NSRs) do not provide much clarity on how CAs can utilize such services in running parts of their infrastructure, but as the trend to utilize cloud services continues, there needs to be an effective source of third-party assurance for each service provided. A key question in this context is how audits should be performed.</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Under the current WebTrust/ETSI audit regimes, browsers rely predominantly on the CA’s annual audit report(s) to assess the security of CA services. Our working group has looked at different models by which auditors can assess the security of the CA using a Cloud Service Provider (CSP). We would like to ask you for your input on these models to determine which one is the most suitable. Also, we would appreciate any ideas on alternative approaches that we might not have thought of. </span></p><div><font color="#000000" face="Arial"><span style="font-size:14.6667px;white-space:pre-wrap">Best regards,</span></font></div><div><font color="#000000" face="Arial"><span style="font-size:14.6667px;white-space:pre-wrap">David</span></font></div><div><span style="font-size:14.6667px;white-space:pre-wrap;color:rgb(0,0,0);font-family:Arial">for the Cloud Services subgroup</span></div><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><br></span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Audit Model Proposals</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Model 1</span><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> – Direct audit: third party controls included in CA audit</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The CA’s auditor includes third parties into the CA’s audit report. Control testing at the third party is performed by the CA’s auditor directly. This model assumes that the CA has some control over the CSP and that no changes to the NSRs will be needed.</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Model 2</span><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> - Indirect audit through the CA’s supplier management process</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">CAs would be required to formally document their supplier management processes that includes a review of the CSP’s compliance with applicable security requirements from the Baseline Requirements and NSRs. Auditors would then audit the CA based on the documentation collected, and the effectiveness of the process would be assessed as part of the CA’s annual WebTrust/ETSI audit (indirect audit). The quality of the assessment process and audit would be ensured by applying WebTrust/ETSI audit criteria applicable to the service provided. This option is the most similar to existing processes used today by businesses with similar data security and audit requirements, such as financial institutions. For this model, a supplier-management section would be added to the NSRs.</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Additionally, the cloud service subgroup could develop a methodology defining how this supplier management process must operate, what types of audits are acceptable, and how to evaluate the quality and applicability of such indirect audits.</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Model 3</span><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> - Separate audits for the CA and its cloud service providers</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">CSPs are audited directly against the relevant security standards. CSPs would provide their audit reports directly to the browsers. CAs would make use of CSPs with accepted reports. For this model, the NSRs would be modified to identify which subset of requirements applies to CSPs.</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Alternatively, CSPs could be audited directly against the relevant security standards and submit their audits to CAs who enclose them in their annual audit report delivery in the Common CA Database (CCADB).</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Model 4 </span><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">- Separate audits for CSPs with browser-approved auditors</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Past discussions have brought up the idea that browsers could audit CSPs directly or maintain a list of approved CSPs whose products and security controls are deemed acceptable for the respective CA service.  This model would give browsers more control over the audit process and could increase their confidence in the quality of the audit opinion. An approved vendor list would allow browsers to vet CSPs only once. While the approved CSP list would reduce the number of CSP reviews (versus the number of CAs included in root programs), there are a number of problems with this model. One is that some browsers do not have the resources to perform audits of this magnitude, and especially not in the required quantity and on an international level. Another is that CSPs probably do not look forward to being directly responsible for additional audits from another industry, especially not for the small number of CAs globally. There are also concerns about the management and complexity of such a program.</span></p></span><div><div dir="ltr" data-smartmail="gmail_signature"><div dir="ltr"><div style="font-size:12.8px"><div dir="ltr"><font face="'trebuchet ms', sans-serif"><span style="border-collapse:collapse;font-family:sans-serif;line-height:20px"><span style="color:rgb(85,85,85);border-width:2px 0px 0px;border-style:solid;border-color:rgb(238,178,17);padding-top:2px;margin-top:2px"></span></span></font></div></div></div></div></div></div>