[cabfpub] Auditability of EV 1.4 and other CABF Guidelines

Ben Wilson ben at digicert.com
Fri Nov 9 16:51:07 UTC 2012



The removal of some of the identical provisions from the EV Guidelines
(v.1.4) and replacing them with cross-references to the Baseline
Requirements has added a degree of complexity to the maintenance of audit
criteria for the EV Guidelines.  Presently, and in the future, I think we
need to make a better effort to communicate and coordinate with ETSI and
WebTrust about our documents so that we facilitate the synchronization of
our requirements with their audit criteria.  You'll note that our more
recent ballots passing major revisions of guideline documents specified that
we would work with ETSI and WebTrust to achieve this coordination /
synchronization.  For example, the May 29, 2012 EV criteria that were
referenced to baseline criteria (effective July 1, 2012) and further
modified under version 1.1 (effective September 14, 2012) have created a
moving target.  Now, when we make revisions to the Baseline Requirements,
the EV Guidelines are also effectively changed.   We need to work on a
formalized document release cycle that does not have effective dates all
over the place, and which stays in pace with the ETSI and WebTrust
criteria-adoption cycles.  It would be good to form a committee to work on
this issue.  Specifically, a primary objective of the charter for such
working group would be to ensure that the next full release of a CAB Forum
document contemplates ahead of time the ETSI and WebTrust versions in which
those criteria will appear and become auditable.  The work of such committee
is essential for the development of an understandable and globally
consistent set of audit criteria.  One thing for such committee to consider
in working with ETSI and WebTrust is the extent to which our Baseline
Requirements can serve as the "flagship" of an audit scheme.  I would
envision a future where "WebTrust for CAs"  and the comparable ETSI audit
serves as the primary framework (without having a special "Baseline
Requirements" WebTrust seal, unless it says something along the lines of
"WebTrust for CAs +BR +EV").  Does that make sense?  In other words, we need
to take our Baseline Requirements, EV Guidelines, and Security document, and
see what the deltas are among WebTrust  and ETSI requirements, as well as
the various root inclusion programs of Mozilla, Microsoft, Opera, etc.
Otherwise, we're going to be causing ourselves nothing but heartache as we
attempt to improve CA industry practices because we will have members (and
those who are not members of the Forum) engaging in different practices
(whether for competitive advantage or merely due to ignorance).


Ben Wilson

CAB Forum Chair

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121109/c5d51b6c/attachment-0003.html>

More information about the Public mailing list