[cabfpub] Next Published Version of Baseline Requirements

Jeremy Rowley jeremy.rowley at digicert.com
Tue Mar 26 09:53:19 MST 2013


I don’t think so.  My understanding is we would make things effective as
soon as they passed, but the auditors would make audit standard or make
audit changes in accordance with the process established in Mountain View.
CAs should comply with the baseline requirements when a change is made, but
they aren’t audited for compliance until Webtrust and ETSI are ready.

Jeremy

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Sheehy, Don (CA - Toronto)
Sent: Tuesday, March 26, 2013 10:45 AM
To: ben at digicert.com; public at cabforum.org
Subject: Re: [cabfpub] Next Published Version of Baseline Requirements

 

With the discussion below – are we abandoning what we had discussed in the
Mountainview meeting – agreeing on a fixed timetable for standards and audit
changes? It seems we are back to let’s make a change and make it effective
as soon as we pass it.  

 

What we have below could  create a variety of inconsistent application of
standards both Baseline as well as audit 

 

Don

 

 

 

Donald E. Sheehy, CPA, CA·CISA, CRISC, CIPP/C 
Partner | Enterprise Risk 
Deloitte

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Monday, March 18, 2013 5:39 PM
To: public at cabforum.org
Subject: Re: [cabfpub] Next Published Version of Baseline Requirements

 

All,

Here is the pre-publication draft of version 1.1.3 of the Baseline
Requirements as outlined in my previous emails.  Let’s discuss on Thursday’s
call.

Ben

 

From: Ben Wilson [mailto:ben at digicert.com] 
Sent: Monday, March 18, 2013 12:38 PM
To: 'public at cabforum.org'
Subject: RE: [cabfpub] Next Published Version of Baseline Requirements

 

All,

 

The WebTrust Task Force has helpful language in version 1.1, Audit Criteria
for Baseline Requirements, which I would like to re-purpose in one of the
title pages for version 1.1.3 of the BRs.  

 

What if we said?

 

Implementers’ Note:  Version 1.1 of the SSL Baseline Requirements was
published on September 14, 2012.  Version 1.1 of WebTrust’s SSL Baseline
Audit Criteria and ETSI Technical Standard Electronic Signatures and
Infrastructures (ESI) 102 042 version 2.3.1 incorporate version 1.1 of these
Baseline Requirements and are currently in effect.  See
http://www.webtrust.org/homepage-documents/item27839.aspx and
http://www.etsi.org/deliver/etsi_ts/102000_102099/102042/02.03.01_60/ts_1020
42v020301p.pdf.  The CA / Browser Forum continues to improve the Baseline
Requirements, and we encourage all CAs to conform to each revision on the
date specified without awaiting a corresponding update to an applicable
audit criterion.  In the event of a conflict between an existing audit
criterion and a guideline revision, we will communicate with the audit
community and attempt to resolve any uncertainty, and we will respond to
implementation questions directed to questions at cabforum.org.  Our
coordination with compliance auditors will continue as we develop guideline
revision cycles that harmonize with the revision cycles for audit criteria,
the compliance auditing periods and cycles of CAs, and the CA / B Forum’s
guideline implementation dates. 

 

(Also, instead of creating a redline from version 1.0, it should be based on
BR 1.1 because I think that is what was used for ETSI TS 102 042 V2.3.1 (and
certainly for v.1.1 of WebTrust for the BRs) and from my review, the changes
do not make comparison for compliance purposes that difficult.)

 

Ben  

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Friday, March 15, 2013 6:14 PM
To: public at cabforum.org
Subject: [cabfpub] Next Published Version of Baseline Requirements

 

All,

 

In response to Gerv’s email of 28-Jan-2013 (“[cabfpub] CAB Forum Document
Versioning”), and changes related to Ballots 71, 93, 96, and 97, I am
preparing a proposed version 1.1.3 of the Baseline Requirements – see
attached “Document History” table.  Also, to address other comments on that
same “Versioning” thread, and also to address BR Issue 33 – Title Pages –
“No single place to view effective dates”, I’ve created a table of
compliance dates.   Please review both tables on the attached page.  

 

To further address comments about ongoing improvements to the Baseline
Requirements, I have two more suggestions:  (1) we have room for text on
this page that could explain a little about how to comply with post-v.1.0
versions of the BRs, assuming CAs are audited under WebTrust for CAs– SSL
Baseline Requirements Audit Criteria, V1.0, or ETSI TS 102 042 V2.3.1; and
(2) it will be relatively easy to create a redlined PDF that compares BR v.
1.1.3 to BR v. 1.0, so that anyone looking at a WebTrust or ETSI audit can
determine whether any post-BR v1.0 changes are relevant to their
consideration.

 

Ben

  _____  

Confidentiality Warning: This message and any attachments are intended only
for the use of the intended recipient(s), are confidential, and may be
privileged. If you are not the intended recipient, you are hereby notified
that any review, retransmission, conversion to hard copy, copying,
circulation or other use of this message and any attachments is strictly
prohibited. If you are not the intended recipient, please notify the sender
immediately by return e-mail, and delete this message and any attachments
from your system. 
Information confidentielle: Le présent message, ainsi que tout fichier qui y
est joint, est envoyé à l'intention exclusive de son ou de ses
destinataires; il est de nature confidentielle et peut constituer une
information privilégiée. Nous avertissons toute personne autre que le
destinataire prévu que tout examen, réacheminement, impression, copie,
distribution ou autre utilisation de ce message et de tout fichier qui y est
joint est strictement interdit. Si vous n'êtes pas le destinataire prévu,
veuillez en aviser immédiatement l'expéditeur par retour de courriel et
supprimer ce message et tout document joint de votre système. Merci. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130326/a545e22d/attachment.html 


More information about the Public mailing list