[cabfpub] Next Published Version of Baseline Requirements
Jeremy Rowley
jeremy.rowley at digicert.com
Tue Mar 26 09:53:19 MST 2013
I dont think so. My understanding is we would make things effective as
soon as they passed, but the auditors would make audit standard or make
audit changes in accordance with the process established in Mountain View.
CAs should comply with the baseline requirements when a change is made, but
they arent audited for compliance until Webtrust and ETSI are ready.
Jeremy
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Sheehy, Don (CA - Toronto)
Sent: Tuesday, March 26, 2013 10:45 AM
To: ben at digicert.com; public at cabforum.org
Subject: Re: [cabfpub] Next Published Version of Baseline Requirements
With the discussion below are we abandoning what we had discussed in the
Mountainview meeting agreeing on a fixed timetable for standards and audit
changes? It seems we are back to lets make a change and make it effective
as soon as we pass it.
What we have below could create a variety of inconsistent application of
standards both Baseline as well as audit
Don
Donald E. Sheehy, CPA, CA·CISA, CRISC, CIPP/C
Partner | Enterprise Risk
Deloitte
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Monday, March 18, 2013 5:39 PM
To: public at cabforum.org
Subject: Re: [cabfpub] Next Published Version of Baseline Requirements
All,
Here is the pre-publication draft of version 1.1.3 of the Baseline
Requirements as outlined in my previous emails. Lets discuss on Thursdays
call.
Ben
From: Ben Wilson [mailto:ben at digicert.com]
Sent: Monday, March 18, 2013 12:38 PM
To: 'public at cabforum.org'
Subject: RE: [cabfpub] Next Published Version of Baseline Requirements
All,
The WebTrust Task Force has helpful language in version 1.1, Audit Criteria
for Baseline Requirements, which I would like to re-purpose in one of the
title pages for version 1.1.3 of the BRs.
What if we said?
Implementers Note: Version 1.1 of the SSL Baseline Requirements was
published on September 14, 2012. Version 1.1 of WebTrusts SSL Baseline
Audit Criteria and ETSI Technical Standard Electronic Signatures and
Infrastructures (ESI) 102 042 version 2.3.1 incorporate version 1.1 of these
Baseline Requirements and are currently in effect. See
http://www.webtrust.org/homepage-documents/item27839.aspx and
http://www.etsi.org/deliver/etsi_ts/102000_102099/102042/02.03.01_60/ts_1020
42v020301p.pdf. The CA / Browser Forum continues to improve the Baseline
Requirements, and we encourage all CAs to conform to each revision on the
date specified without awaiting a corresponding update to an applicable
audit criterion. In the event of a conflict between an existing audit
criterion and a guideline revision, we will communicate with the audit
community and attempt to resolve any uncertainty, and we will respond to
implementation questions directed to questions at cabforum.org. Our
coordination with compliance auditors will continue as we develop guideline
revision cycles that harmonize with the revision cycles for audit criteria,
the compliance auditing periods and cycles of CAs, and the CA / B Forums
guideline implementation dates.
(Also, instead of creating a redline from version 1.0, it should be based on
BR 1.1 because I think that is what was used for ETSI TS 102 042 V2.3.1 (and
certainly for v.1.1 of WebTrust for the BRs) and from my review, the changes
do not make comparison for compliance purposes that difficult.)
Ben
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Friday, March 15, 2013 6:14 PM
To: public at cabforum.org
Subject: [cabfpub] Next Published Version of Baseline Requirements
All,
In response to Gervs email of 28-Jan-2013 ([cabfpub] CAB Forum Document
Versioning), and changes related to Ballots 71, 93, 96, and 97, I am
preparing a proposed version 1.1.3 of the Baseline Requirements see
attached Document History table. Also, to address other comments on that
same Versioning thread, and also to address BR Issue 33 Title Pages
No single place to view effective dates, Ive created a table of
compliance dates. Please review both tables on the attached page.
To further address comments about ongoing improvements to the Baseline
Requirements, I have two more suggestions: (1) we have room for text on
this page that could explain a little about how to comply with post-v.1.0
versions of the BRs, assuming CAs are audited under WebTrust for CAs SSL
Baseline Requirements Audit Criteria, V1.0, or ETSI TS 102 042 V2.3.1; and
(2) it will be relatively easy to create a redlined PDF that compares BR v.
1.1.3 to BR v. 1.0, so that anyone looking at a WebTrust or ETSI audit can
determine whether any post-BR v1.0 changes are relevant to their
consideration.
Ben
_____
Confidentiality Warning: This message and any attachments are intended only
for the use of the intended recipient(s), are confidential, and may be
privileged. If you are not the intended recipient, you are hereby notified
that any review, retransmission, conversion to hard copy, copying,
circulation or other use of this message and any attachments is strictly
prohibited. If you are not the intended recipient, please notify the sender
immediately by return e-mail, and delete this message and any attachments
from your system.
Information confidentielle: Le présent message, ainsi que tout fichier qui y
est joint, est envoyé à l'intention exclusive de son ou de ses
destinataires; il est de nature confidentielle et peut constituer une
information privilégiée. Nous avertissons toute personne autre que le
destinataire prévu que tout examen, réacheminement, impression, copie,
distribution ou autre utilisation de ce message et de tout fichier qui y est
joint est strictement interdit. Si vous n'êtes pas le destinataire prévu,
veuillez en aviser immédiatement l'expéditeur par retour de courriel et
supprimer ce message et tout document joint de votre système. Merci.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130326/a545e22d/attachment.html
More information about the Public
mailing list