[cabfpub] Next Published Version of Baseline Requirements

i-barreira at izenpe.net i-barreira at izenpe.net
Tue Apr 2 09:14:30 UTC 2013


Hi, I think Don is right and I was kindly invited to belong to that group that I don´t have any additional info.

 

Anyway I said that this (I guess is about the 6 month period time) was going to be discussed in the ESI meeting in march in Barcelona and according to the M/460 phase 2, well, the STFs are made (and they have started on april 1st) and now we´re deciding/defining a proposition to send to the Munich meeting.

 

Regards

 

 

Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net

945067705

 

 

ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

 

De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Sheehy, Don (CA - Toronto)
Enviado el: martes, 26 de marzo de 2013 19:35
Para: jeremy.rowley at digicert.com; ben at digicert.com; public at cabforum.org; kirk_hall at trendmicro.com
Asunto: Re: [cabfpub] Next Published Version of Baseline Requirements

 

Then we are back in the same issue - what date would you be audited back to? We saw that with baseline 1.0 - we did not audit back to July 1 - since the Browsers only needed point in time right now - with period of time next year. 

 

And if compliance audit only starts once the audit requirements are set , there is little impetus for the CA to push through the change to make sure they are compliant at the earlier date.

 

I thought we were forming a sub- group to discuss all this and were just waiting for ETSI?

 

 

 

 

Donald E. Sheehy, CPA, CA·CISA, CRISC, CIPP/C 
Partner | Enterprise Risk 
Deloitte

 

From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com] 
Sent: Tuesday, March 26, 2013 12:53 PM
To: Sheehy, Don (CA - Toronto); ben at digicert.com; public at cabforum.org
Subject: RE: [cabfpub] Next Published Version of Baseline Requirements

 

I don't think so.  My understanding is we would make things effective as soon as they passed, but the auditors would make audit standard or make audit changes in accordance with the process established in Mountain View. CAs should comply with the baseline requirements when a change is made, but they aren't audited for compliance until Webtrust and ETSI are ready.

Jeremy

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Sheehy, Don (CA - Toronto)
Sent: Tuesday, March 26, 2013 10:45 AM
To: ben at digicert.com; public at cabforum.org
Subject: Re: [cabfpub] Next Published Version of Baseline Requirements

 

With the discussion below - are we abandoning what we had discussed in the Mountainview meeting - agreeing on a fixed timetable for standards and audit changes? It seems we are back to let's make a change and make it effective as soon as we pass it.  

 

What we have below could  create a variety of inconsistent application of standards both Baseline as well as audit 

 

Don

 

 

 

Donald E. Sheehy, CPA, CA·CISA, CRISC, CIPP/C 
Partner | Enterprise Risk 
Deloitte

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Monday, March 18, 2013 5:39 PM
To: public at cabforum.org
Subject: Re: [cabfpub] Next Published Version of Baseline Requirements

 

All,

Here is the pre-publication draft of version 1.1.3 of the Baseline Requirements as outlined in my previous emails.  Let's discuss on Thursday's call.

Ben

 

From: Ben Wilson [mailto:ben at digicert.com] 
Sent: Monday, March 18, 2013 12:38 PM
To: 'public at cabforum.org'
Subject: RE: [cabfpub] Next Published Version of Baseline Requirements

 

All,

 

The WebTrust Task Force has helpful language in version 1.1, Audit Criteria for Baseline Requirements, which I would like to re-purpose in one of the title pages for version 1.1.3 of the BRs.  

 

What if we said?

 

Implementers' Note:  Version 1.1 of the SSL Baseline Requirements was published on September 14, 2012.  Version 1.1 of WebTrust's SSL Baseline Audit Criteria and ETSI Technical Standard Electronic Signatures and Infrastructures (ESI) 102 042 version 2.3.1 incorporate version 1.1 of these Baseline Requirements and are currently in effect.  See http://www.webtrust.org/homepage-documents/item27839.aspx and http://www.etsi.org/deliver/etsi_ts/102000_102099/102042/02.03.01_60/ts_102042v020301p.pdf.  The CA / Browser Forum continues to improve the Baseline Requirements, and we encourage all CAs to conform to each revision on the date specified without awaiting a corresponding update to an applicable audit criterion.  In the event of a conflict between an existing audit criterion and a guideline revision, we will communicate with the audit community and attempt to resolve any uncertainty, and we will respond to implementation questions directed to questions at cabforum.org.  Our coordination with compliance auditors will continue as we develop guideline revision cycles that harmonize with the revision cycles for audit criteria, the compliance auditing periods and cycles of CAs, and the CA / B Forum's guideline implementation dates. 

 

(Also, instead of creating a redline from version 1.0, it should be based on BR 1.1 because I think that is what was used for ETSI TS 102 042 V2.3.1 (and certainly for v.1.1 of WebTrust for the BRs) and from my review, the changes do not make comparison for compliance purposes that difficult.)

 

Ben  

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Friday, March 15, 2013 6:14 PM
To: public at cabforum.org
Subject: [cabfpub] Next Published Version of Baseline Requirements

 

All,

 

In response to Gerv's email of 28-Jan-2013 ("[cabfpub] CAB Forum Document Versioning"), and changes related to Ballots 71, 93, 96, and 97, I am preparing a proposed version 1.1.3 of the Baseline Requirements - see attached "Document History" table.  Also, to address other comments on that same "Versioning" thread, and also to address BR Issue 33 - Title Pages - "No single place to view effective dates", I've created a table of compliance dates.   Please review both tables on the attached page.  

 

To further address comments about ongoing improvements to the Baseline Requirements, I have two more suggestions:  (1) we have room for text on this page that could explain a little about how to comply with post-v.1.0 versions of the BRs, assuming CAs are audited under WebTrust for CAs- SSL Baseline Requirements Audit Criteria, V1.0, or ETSI TS 102 042 V2.3.1; and (2) it will be relatively easy to create a redlined PDF that compares BR v. 1.1.3 to BR v. 1.0, so that anyone looking at a WebTrust or ETSI audit can determine whether any post-BR v1.0 changes are relevant to their consideration.

 

Ben

________________________________

Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system. 
Information confidentielle: Le présent message, ainsi que tout fichier qui y est joint, est envoyé à l'intention exclusive de son ou de ses destinataires; il est de nature confidentielle et peut constituer une information privilégiée. Nous avertissons toute personne autre que le destinataire prévu que tout examen, réacheminement, impression, copie, distribution ou autre utilisation de ce message et de tout fichier qui y est joint est strictement interdit. Si vous n'êtes pas le destinataire prévu, veuillez en aviser immédiatement l'expéditeur par retour de courriel et supprimer ce message et tout document joint de votre système. Merci. 

________________________________

Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system. Thank you. 
Information confidentielle: Le présent message, ainsi que tout fichier qui y est joint, est envoyé à l'intention exclusive de son ou de ses destinataires; il est de nature confidentielle et peut constituer une information privilégiée. Nous avertissons toute personne autre que le destinataire prévu que tout examen, réacheminement, impression, copie, distribution ou autre utilisation de ce message et de tout fichier qui y est joint est strictement interdit. Si vous n'êtes pas le destinataire prévu, veuillez en aviser immédiatement l'expéditeur par retour de courriel et supprimer ce message et tout document joint de votre système. Merci. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130402/7c83e194/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 19121 bytes
Desc: image001.png
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130402/7c83e194/attachment-0002.png>


More information about the Public mailing list