[Cscwg-public] [EXTERNAL] WebTrust - EV Code Signing v.1.4.1 and ALV in the CCADB

Bruce Morton Bruce.Morton at entrust.com
Tue Jul 20 16:36:14 UTC 2021 

Here is a proposal to allow the new WebTrust audit scheme, which is based on CSBR 2.0 or later. The proposal is to allow the older WebTrust audits to continue for audit periods which start before 1 November 2020. There is no date on the CSBR 2.0 audit scheme, which allows it also to be used for audit periods starting before 1 November 2021.


Delete the following text from Section 17.1 from the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates”, which currently reads as follows:

  1.  “WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities – Publicly Trusted Code Signing Certificates v1.0.1 or newer”; or
  2.  “WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities – Extended Validation Code Signing v1.4.1 or newer”; or
  3.  ETSI EN 319 411-1, which includes normative references to ETSI EN 319 401 (the latest version of the referenced ETSI documents should be applied); or
  4.  If a Government CA is required by its Certificate Policy to use a different internal audit scheme, it MAY use such scheme provided that the audit either (a) encompasses all requirements of one of the above schemes or (b) consists of comparable criteria that are available for public review.

Insert the following text from Section 17.1 from the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates”, which currently reads as follows:

  1.  For Audit Periods starting before 1 November 2020, “WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities – Publicly Trusted Code Signing Certificates v1.0.1 or newer”; or
  2.  For Audit Periods starting before 1 November 2020, “WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities – Extended Validation Code Signing v1.4.1 or newer”; or
  3.  “WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities – Code Signing Baseline Requirements v2.0 or newer”; or
  4.  ETSI EN 319 411-1, which includes normative references to ETSI EN 319 401 (the latest version of the referenced ETSI documents should be applied); or
  5.  If a Government CA is required by its Certificate Policy to use a different internal audit scheme, it MAY use such scheme provided that the audit either (a) encompasses all requirements of one of the above schemes or (b) consists of comparable criteria that are available for public review.


If there are no comments and two endorsers, I can prepare a ballot for this change. This will also help Ben and the CCADB.


Thanks, Bruce.



From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Bruce Morton via Cscwg-public
Sent: Wednesday, July 14, 2021 2:35 PM
To: Ben Wilson <bwilson at mozilla.com>
Cc: cscwg-public at cabforum.org
Subject: Re: [Cscwg-public] [EXTERNAL] WebTrust - EV Code Signing v.1.4.1 and ALV in the CCADB

Hi Ben,

WebTrust has created an audit scheme which covers both non-EV and EV Code Signing certificates. The CSCWG has not referenced the audit scheme in the CSBRs. Here is a draft of text, which would all EVCS 1.4.1 for audit periods starting before 1 November 2020, but require CSBR 2.0 for audit periods starting on or after 1 November 2020.

We would still need to discuss this with the CSCWG, but I have not heard of any negative feedback based on the position that WebTrust took when it generated the new audit criteria.

17.1        Eligible Audit Schemes
The CA MUST undergo a conformity assessment audit for compliance with these Requirements performed in accordance with one of the following schemes:

  1.  For Audit Periods staring before 1 November 2020, “WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities – Publicly Trusted Code Signing Certificates v1.0.1 or newer”; or
  2.  For Audit Periods staring before 1 November 2020, “WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities – Extended Validation Code Signing v1.4.1 or newer”; or
  3.  For Audit Periods staring on or after 1 November 2020, “WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities – Code Signing Baseline Requirements v2.0 or newer”; or
  4.  ETSI EN 319 411-1, which includes normative references to ETSI EN 319 401 (the latest version of the referenced ETSI documents should be applied); or
  5.  If a Government CA is required by its Certificate Policy to use a different internal audit scheme, it MAY use such scheme provided that the audit either (a) encompasses all requirements of one of the above schemes or (b) consists of comparable criteria that are available for public review.
I will add to the CSCWG agenda for tomorrow’s meeting.


Thanks, Bruce.

From: Ben Wilson <bwilson at mozilla.com<mailto:bwilson at mozilla.com>>
Sent: Tuesday, July 13, 2021 4:01 PM
To: Bruce Morton <Bruce.Morton at entrust.com<mailto:Bruce.Morton at entrust.com>>
Cc: cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: Re: [EXTERNAL] [Cscwg-public] WebTrust - EV Code Signing v.1.4.1 and ALV in the CCADB

It seems that additional work is needed to replace the EV Guidelines for Code Signing.  For instance, section 17.1 of the Baseline Requirements for Code Signing says that the eligible audit scheme (for Baseline) can be “WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities – Extended Validation Code Signing v1.4.1 or newer”, but it doesn't seem to be the other way around (that the BRCS is sufficient for EVCS).  Does this working group have plans to replace the EV Guidelines for Code Signing with a unified guideline document?

On Tue, Jul 13, 2021 at 12:20 PM Bruce Morton <Bruce.Morton at entrust.com<mailto:Bruce.Morton at entrust.com>> wrote:
Hi Ben,

Based on how I interpret the requirements for the new CSBR v2.0 audit criteria, it should be used for all audit periods starting on or after 1 November 2020. So that would mean that EVCS 1.4.1 could be used for periods starting before 1 November 2020. With a 3 month posting deadline, you could see EVCS 1.4.1 audit reports posted until 31 January 2022 (or later for late reports).

For example, if an audit period started on 1 October 2020 and ended on 30 September 2021, then the CA could use EVCS 1.4.1 and must post the report by 31 December 2021.


Bruce.

From: Cscwg-public <cscwg-public-bounces at cabforum.org<mailto:cscwg-public-bounces at cabforum.org>> On Behalf Of Ben Wilson via Cscwg-public
Sent: Tuesday, July 13, 2021 1:55 PM
To: cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: [EXTERNAL] [Cscwg-public] WebTrust - EV Code Signing v.1.4.1 and ALV in the CCADB

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
All,
In reference to the Webtrust Principles and Criteria and the CCADB's ALV processing of audit letters, see
https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria<https://urldefense.com/v3/__https:/www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria__;!!FJ-Y8qCqXTj2!Of1UlBnrsakPt5Col1B5EeWGfnEFVf6SGVSJAehLcnY117n7naUu9KBRjfK7BVUX7yk$>, which mentions
WebTrust for EV CS v. 1.4.1.  At what point will a requirement for v. 1.4.1 go away, if it will?  The reason I ask is that the CCADB gave me an ALV error recently when it processed an EV CS audit letter because it did not specifically mention WebTrust EV CS v. 1.4.1.
Thoughts?
Ben

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210720/a316216a/attachment-0001.html>

More information about the Cscwg-public mailing list