[cabfpub] Next Published Version of Baseline Requirements

Sheehy, Don (CA - Toronto) dosheehy at deloitte.ca
Tue Mar 26 16:44:53 UTC 2013

With the discussion below - are we abandoning what we had discussed in the Mountainview meeting - agreeing on a fixed timetable for standards and audit changes? It seems we are back to let's make a change and make it effective as soon as we pass it.

What we have below could  create a variety of inconsistent application of standards both Baseline as well as audit


Donald E. Sheehy, CPA, CA*CISA, CRISC, CIPP/C
Partner | Enterprise Risk

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Monday, March 18, 2013 5:39 PM
To: public at cabforum.org
Subject: Re: [cabfpub] Next Published Version of Baseline Requirements

Here is the pre-publication draft of version 1.1.3 of the Baseline Requirements as outlined in my previous emails.  Let's discuss on Thursday's call.

From: Ben Wilson [mailto:ben at digicert.com]
Sent: Monday, March 18, 2013 12:38 PM
To: 'public at cabforum.org'
Subject: RE: [cabfpub] Next Published Version of Baseline Requirements


The WebTrust Task Force has helpful language in version 1.1, Audit Criteria for Baseline Requirements, which I would like to re-purpose in one of the title pages for version 1.1.3 of the BRs.

What if we said?

Implementers' Note:  Version 1.1 of the SSL Baseline Requirements was published on September 14, 2012.  Version 1.1 of WebTrust's SSL Baseline Audit Criteria and ETSI Technical Standard Electronic Signatures and Infrastructures (ESI) 102 042 version 2.3.1 incorporate version 1.1 of these Baseline Requirements and are currently in effect.  See http://www.webtrust.org/homepage-documents/item27839.aspx and http://www.etsi.org/deliver/etsi_ts/102000_102099/102042/02.03.01_60/ts_102042v020301p.pdf.  The CA / Browser Forum continues to improve the Baseline Requirements, and we encourage all CAs to conform to each revision on the date specified without awaiting a corresponding update to an applicable audit criterion.  In the event of a conflict between an existing audit criterion and a guideline revision, we will communicate with the audit community and attempt to resolve any uncertainty, and we will respond to implementation questions directed to questions at cabforum.org<mailto:questions at cabforum.org>.  Our coordination with compliance auditors will continue as we develop guideline revision cycles that harmonize with the revision cycles for audit criteria, the compliance auditing periods and cycles of CAs, and the CA / B Forum's guideline implementation dates.

(Also, instead of creating a redline from version 1.0, it should be based on BR 1.1 because I think that is what was used for ETSI TS 102 042 V2.3.1 (and certainly for v.1.1 of WebTrust for the BRs) and from my review, the changes do not make comparison for compliance purposes that difficult.)


From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Friday, March 15, 2013 6:14 PM
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: [cabfpub] Next Published Version of Baseline Requirements


In response to Gerv's email of 28-Jan-2013 ("[cabfpub] CAB Forum Document Versioning"), and changes related to Ballots 71, 93, 96, and 97, I am preparing a proposed version 1.1.3 of the Baseline Requirements - see attached "Document History" table.  Also, to address other comments on that same "Versioning" thread, and also to address BR Issue 33 - Title Pages - "No single place to view effective dates", I've created a table of compliance dates.   Please review both tables on the attached page.

To further address comments about ongoing improvements to the Baseline Requirements, I have two more suggestions:  (1) we have room for text on this page that could explain a little about how to comply with post-v.1.0 versions of the BRs, assuming CAs are audited under WebTrust for CAs- SSL Baseline Requirements Audit Criteria, V1.0, or ETSI TS 102 042 V2.3.1; and (2) it will be relatively easy to create a redlined PDF that compares BR v. 1.1.3 to BR v. 1.0, so that anyone looking at a WebTrust or ETSI audit can determine whether any post-BR v1.0 changes are relevant to their consideration.


Confidentiality Warning: This message and any attachments are
intended only for the use of the intended recipient(s), are
confidential, and may be privileged. If you are not the intended
recipient, you are hereby notified that any review, retransmission,
conversion to hard copy, copying, circulation or other use of this
message and any attachments is strictly prohibited. If you are not
the intended recipient, please notify the sender immediately by
return e-mail, and delete this message and any attachments from
your system. Thank you.	

Information confidentielle: Le présent message, ainsi que tout
fichier qui y est joint, est envoyé à l'intention exclusive de son
ou de ses destinataires; il est de nature confidentielle et peut
constituer une information privilégiée. Nous avertissons toute
personne autre que le destinataire prévu que tout examen,
réacheminement, impression, copie, distribution ou autre
utilisation de ce message et de tout fichier qui y est joint est
strictement interdit. Si vous n'êtes pas le destinataire prévu,
veuillez en aviser immédiatement l'expéditeur par retour de
courriel et supprimer ce message et tout document joint de votre
système. Merci.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130326/1578039b/attachment-0003.html>

More information about the Public mailing list