[cabfpub] DRAFT Certificate System Operational Security Requirements

Jeremy Rowley jeremy.rowley at digicert.com
Fri Feb 1 16:13:19 UTC 2013

Yes, these will be added to the network security guidelines to create one set of security requirements that are part of Webtrust and ETSI.  Most of the requirements are already included as illustrative controls under either WebTrust or ETSI.  These changes will make the two audits more uniform and change certain illustrative controls into mandatory requirements.

These new requirements are drafted to match the format and style of the Network Security Guidelines.  I don’t think we should draft them as amendments to WebTrust 2.0 since they apply equally to ETSI and ISO audits.  However, I will make a mapping document available to the auditors (and anyone else interested in seeing the correlation) to help streamline their updates to the audit criteria.




From: kirk_hall at trendmicro.com [mailto:kirk_hall at trendmicro.com] 
Sent: Friday, February 01, 2013 8:26 AM
To: jeremy.rowley at digicert.com; public at cabforum.org
Subject: RE: [cabfpub] DRAFT Certificate System Operational Security Requirements


Jeremy – remind me – will these Security Requirements be incorporated into the regular WebTrust audit criteria?  I hope so.


We already have 3 audits to do each year – WebTrust, EV WebTrust, and BR WebTrust.  I don’t want to have to do a fourth audit, and these Security Guidelines already shade into topic covered by WebTrust.


Having said that – wouldn’t it make sense to try to draft these Security Guidelines now so they “fit” into the WebTrust 2.0 audit criteria?  Maybe even show them as potential amendments to existing WebTrust 2.0?


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Friday, February 01, 2013 12:13 AM
To: public at cabforum.org
Subject: [cabfpub] DRAFT Certificate System Operational Security Requirements


Hi everyone, 


Attached is a draft of part two of the Forum’s security requirements.  These requirements ask CA’s to consider how management of the CA can impact security and trust.  Requirements that will eventually become part of the audit include guidelines on asset protection, certificate system and operational controls, and software development practices.  The overall goal of part two is to prevent situations similar to the TurkTrust incident from re-occurring.  


The commentary in the document is only intended to initiate discussion on the various topics and will be removed prior to adoption. Once these are adopted, we can work on the final part of the security guidelines, requirements on a CA’s physical security.


I look forward to your feedback.




The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130201/452adca4/attachment-0003.html>

More information about the Public mailing list