[cabfpub] DRAFT Certificate System Operational Security Requirements

Ben Wilson ben at digicert.com
Fri Feb 1 16:43:26 UTC 2013

We could also redline the WebTrust audit criteria and the ETSI standards as contemporaneous part of the effort if people would like to follow that approach.  That is what I started to do last time, but that in itself is nearly a full time job, and it needs to be done by a limited number of editors who can stay up to speed on what is already in those criteria.   Alternatively, and not to say this is the direction we should go, is to publish these CAB Forum security requirements with the understanding that they will be placed as interpretive guidance appendices to the WebTrust and ETSI criteria. 


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Friday, February 01, 2013 8:26 AM
To: jeremy.rowley at digicert.com; public at cabforum.org
Subject: Re: [cabfpub] DRAFT Certificate System Operational Security Requirements


Jeremy – remind me – will these Security Requirements be incorporated into the regular WebTrust audit criteria?  I hope so.


We already have 3 audits to do each year – WebTrust, EV WebTrust, and BR WebTrust.  I don’t want to have to do a fourth audit, and these Security Guidelines already shade into topic covered by WebTrust.


Having said that – wouldn’t it make sense to try to draft these Security Guidelines now so they “fit” into the WebTrust 2.0 audit criteria?  Maybe even show them as potential amendments to existing WebTrust 2.0?


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Friday, February 01, 2013 12:13 AM
To: public at cabforum.org
Subject: [cabfpub] DRAFT Certificate System Operational Security Requirements


Hi everyone, 


Attached is a draft of part two of the Forum’s security requirements.  These requirements ask CA’s to consider how management of the CA can impact security and trust.  Requirements that will eventually become part of the audit include guidelines on asset protection, certificate system and operational controls, and software development practices.  The overall goal of part two is to prevent situations similar to the TurkTrust incident from re-occurring.  


The commentary in the document is only intended to initiate discussion on the various topics and will be removed prior to adoption. Once these are adopted, we can work on the final part of the security guidelines, requirements on a CA’s physical security.


I look forward to your feedback.




The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130201/020b8b0e/attachment-0003.html>

More information about the Public mailing list