[cabfpub] Next Published Version of Baseline Requirements

Sheehy, Don (CA - Toronto) dosheehy at deloitte.ca
Tue Mar 26 18:35:26 UTC 2013


Then we are back in the same issue - what date would you be audited back to? We saw that with baseline 1.0 - we did not audit back to July 1 - since the Browsers only needed point in time right now - with period of time next year.

And if compliance audit only starts once the audit requirements are set , there is little impetus for the CA to push through the change to make sure they are compliant at the earlier date.

I thought we were forming a sub- group to discuss all this and were just waiting for ETSI?




Donald E. Sheehy, CPA, CA·CISA, CRISC, CIPP/C
Partner | Enterprise Risk
Deloitte


From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
Sent: Tuesday, March 26, 2013 12:53 PM
To: Sheehy, Don (CA - Toronto); ben at digicert.com; public at cabforum.org
Subject: RE: [cabfpub] Next Published Version of Baseline Requirements

I don't think so.  My understanding is we would make things effective as soon as they passed, but the auditors would make audit standard or make audit changes in accordance with the process established in Mountain View. CAs should comply with the baseline requirements when a change is made, but they aren't audited for compliance until Webtrust and ETSI are ready.
Jeremy

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Sheehy, Don (CA - Toronto)
Sent: Tuesday, March 26, 2013 10:45 AM
To: ben at digicert.com<mailto:ben at digicert.com>; public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] Next Published Version of Baseline Requirements

With the discussion below - are we abandoning what we had discussed in the Mountainview meeting - agreeing on a fixed timetable for standards and audit changes? It seems we are back to let's make a change and make it effective as soon as we pass it.

What we have below could  create a variety of inconsistent application of standards both Baseline as well as audit

Don



Donald E. Sheehy, CPA, CA·CISA, CRISC, CIPP/C
Partner | Enterprise Risk
Deloitte

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Monday, March 18, 2013 5:39 PM
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] Next Published Version of Baseline Requirements

All,
Here is the pre-publication draft of version 1.1.3 of the Baseline Requirements as outlined in my previous emails.  Let's discuss on Thursday's call.
Ben

From: Ben Wilson [mailto:ben at digicert.com]
Sent: Monday, March 18, 2013 12:38 PM
To: 'public at cabforum.org'
Subject: RE: [cabfpub] Next Published Version of Baseline Requirements

All,

The WebTrust Task Force has helpful language in version 1.1, Audit Criteria for Baseline Requirements, which I would like to re-purpose in one of the title pages for version 1.1.3 of the BRs.

What if we said?

Implementers' Note:  Version 1.1 of the SSL Baseline Requirements was published on September 14, 2012.  Version 1.1 of WebTrust's SSL Baseline Audit Criteria and ETSI Technical Standard Electronic Signatures and Infrastructures (ESI) 102 042 version 2.3.1 incorporate version 1.1 of these Baseline Requirements and are currently in effect.  See http://www.webtrust.org/homepage-documents/item27839.aspx and http://www.etsi.org/deliver/etsi_ts/102000_102099/102042/02.03.01_60/ts_102042v020301p.pdf.  The CA / Browser Forum continues to improve the Baseline Requirements, and we encourage all CAs to conform to each revision on the date specified without awaiting a corresponding update to an applicable audit criterion.  In the event of a conflict between an existing audit criterion and a guideline revision, we will communicate with the audit community and attempt to resolve any uncertainty, and we will respond to implementation questions directed to questions at cabforum.org<mailto:questions at cabforum.org>.  Our coordination with compliance auditors will continue as we develop guideline revision cycles that harmonize with the revision cycles for audit criteria, the compliance auditing periods and cycles of CAs, and the CA / B Forum's guideline implementation dates.

(Also, instead of creating a redline from version 1.0, it should be based on BR 1.1 because I think that is what was used for ETSI TS 102 042 V2.3.1 (and certainly for v.1.1 of WebTrust for the BRs) and from my review, the changes do not make comparison for compliance purposes that difficult.)

Ben

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Friday, March 15, 2013 6:14 PM
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: [cabfpub] Next Published Version of Baseline Requirements

All,

In response to Gerv's email of 28-Jan-2013 ("[cabfpub] CAB Forum Document Versioning"), and changes related to Ballots 71, 93, 96, and 97, I am preparing a proposed version 1.1.3 of the Baseline Requirements - see attached "Document History" table.  Also, to address other comments on that same "Versioning" thread, and also to address BR Issue 33 - Title Pages - "No single place to view effective dates", I've created a table of compliance dates.   Please review both tables on the attached page.

To further address comments about ongoing improvements to the Baseline Requirements, I have two more suggestions:  (1) we have room for text on this page that could explain a little about how to comply with post-v.1.0 versions of the BRs, assuming CAs are audited under WebTrust for CAs- SSL Baseline Requirements Audit Criteria, V1.0, or ETSI TS 102 042 V2.3.1; and (2) it will be relatively easy to create a redlined PDF that compares BR v. 1.1.3 to BR v. 1.0, so that anyone looking at a WebTrust or ETSI audit can determine whether any post-BR v1.0 changes are relevant to their consideration.

Ben
________________________________
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
Information confidentielle: Le présent message, ainsi que tout fichier qui y est joint, est envoyé à l'intention exclusive de son ou de ses destinataires; il est de nature confidentielle et peut constituer une information privilégiée. Nous avertissons toute personne autre que le destinataire prévu que tout examen, réacheminement, impression, copie, distribution ou autre utilisation de ce message et de tout fichier qui y est joint est strictement interdit. Si vous n'êtes pas le destinataire prévu, veuillez en aviser immédiatement l'expéditeur par retour de courriel et supprimer ce message et tout document joint de votre système. Merci.


Confidentiality Warning: This message and any attachments are
intended only for the use of the intended recipient(s), are
confidential, and may be privileged. If you are not the intended
recipient, you are hereby notified that any review, retransmission,
conversion to hard copy, copying, circulation or other use of this
message and any attachments is strictly prohibited. If you are not
the intended recipient, please notify the sender immediately by
return e-mail, and delete this message and any attachments from
your system. Thank you.	
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130326/cf46d196/attachment-0003.html>


More information about the Public mailing list