[cabfpub] DRAFT Certificate System Operational Security Requirements

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Fri Feb 1 15:26:03 UTC 2013

Jeremy - remind me - will these Security Requirements be incorporated into the regular WebTrust audit criteria?  I hope so.

We already have 3 audits to do each year - WebTrust, EV WebTrust, and BR WebTrust.  I don't want to have to do a fourth audit, and these Security Guidelines already shade into topic covered by WebTrust.

Having said that - wouldn't it make sense to try to draft these Security Guidelines now so they "fit" into the WebTrust 2.0 audit criteria?  Maybe even show them as potential amendments to existing WebTrust 2.0?

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Friday, February 01, 2013 12:13 AM
To: public at cabforum.org
Subject: [cabfpub] DRAFT Certificate System Operational Security Requirements

Hi everyone,

Attached is a draft of part two of the Forum's security requirements.  These requirements ask CA's to consider how management of the CA can impact security and trust.  Requirements that will eventually become part of the audit include guidelines on asset protection, certificate system and operational controls, and software development practices.  The overall goal of part two is to prevent situations similar to the TurkTrust incident from re-occurring.

The commentary in the document is only intended to initiate discussion on the various topics and will be removed prior to adoption. Once these are adopted, we can work on the final part of the security guidelines, requirements on a CA's physical security.

I look forward to your feedback.


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130201/8faab487/attachment-0003.html>

More information about the Public mailing list