[cabfpub] Auditability of EV 1.4 and other CABF Guidelines

i-barreira at izenpe.net i-barreira at izenpe.net
Thu Nov 15 09:36:01 UTC 2012

In the case of ETSI this is similar as Don is saying. It´s not "fair" that CABF can publish its guidelines/requirements and then ask ETSI/webtrust to update/adopt their documents in a rush, it takes time and not easy to do it. 
In my opnion, once the CABF approved a document, give that document to ETSI/Webtrust to study it and work over it to update their standards and at the same time is published in the CABF site, ETSI and Webtrust can have their documents ready to be audited and no need to set "effective date" or similar.

Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net

ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

-----Mensaje original-----
De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Sheehy, Don (CA - Toronto)
Enviado el: martes, 13 de noviembre de 2012 15:38
Para: Gervase Markham; ben at digicert.com
CC: public at cabforum.org
Asunto: Re: [cabfpub] Auditability of EV 1.4 and other CABF Guidelines

Gerv- I think you have misunderstood. The issue that I pointed out was we just needed to "freeze" a version to allow for consistent auditing. WebTrust EV was based on EV 1.3 - you can always look at the web site to say " there were the control and operational requirements" . When EV 1.4 ( developed in May) pointed to controls that were approved for use in July and then changed again in September the ability to perform the audit under 1.4 is  more difficult (since the measuring stick continues to move, although the EV version remains the same) . All I asked for is that, in the future, the EV guidelines become whole in their own right again to facilitate audit and not refer to guidelines that will change in the future before 1.6 is developed ( creating a number of versions that each can have audit ramifications). When the new EV std 1.5 approved, we will create WebTrust EV 1.5. We cannot change audit standards on a weekly basis - all need to go through due process. 

In the past, as you remember, EV did not create a new version that incorporated all of the weekly proposed changes until the vote was taken on a new revised version. This is what we based our audit revision on, in agreement with in Forum.

It does not matter when CA/B approves a standard as long as it can be frozen at that requirement until there are changes that are so significant that a formal revised version is again needed and approved. 

Donald E. Sheehy, CA·CISA, CRISC, CIPP/C Partner | Enterprise Risk Deloitte

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Monday, November 12, 2012 5:27 AM
To: ben at digicert.com
Cc: public at cabforum.org
Subject: Re: [cabfpub] Auditability of EV 1.4 and other CABF Guidelines

On 09/11/12 23:12, Ben Wilson wrote:
> Thanks, Don.  I’m just thinking out loud here, but what if we were to 
> start working toward a two-session model for ballots and effective 
> dates?

I wonder whether that would slow down our already not-stellar pace of improvements.

How about if we instead instituted a proper revision-numbering scheme, with major, minor and patchlevel numbering? In that world, why does changing the EV Guidelines and the BRs cause a problem for WebTrust and ETSI? We could coordinate with them over where a good point for them to "freeze" was, and then they would go into a round of updates saying "We want to make our audit standards match EV 1.4.54 and BR 1.1.17". This would take as long as it takes, and once it was completed, when they felt the need, they could do a new round to make them match EV 1.5.2 and BR 1.3.27. And so on.

Public mailing list
Public at cabforum.org

Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from
your system. Thank you.	
Public mailing list
Public at cabforum.org

More information about the Public mailing list