[cabfpub] BRs, audits and historical point-in-time events

Moudrick M. Dadashov md at ssc.lt
Wed Jul 23 11:02:59 MST 2014


Just for the record, the most recent version of Draft EN 319 411-1 
V0.0.4 (section 7.2.1):

f) The TSP shall have a procedure to follow on the CA root key 
generation ceremony and this ceremony shall be witnessed by a qualified 
auditor or a notary. The TSP shall record a video of the entire root CA 
key generation process and keep the video available until the usage 
period of the key ends. The TSP shall have a report from the qualified 
auditor or the notary indicating that the TSP has followed the key 
ceremony procedure during its key and certificate generation process and 
the controls used to ensure and protect the integrity and 
confidentiality of the key pair.

g) The TSP shall have a procedure to follow on the CAs key generation 
ceremony and record a video of the entire process as evidence. The TSP 
shall produce a report indicating that has followed the key ceremony 
procedure and the controls used to ensure and protect the integrity and 
confidentiality of the key pair.

Thanks,
M.D.

On 7/23/2014 7:52 PM, Ben Wilson wrote:
> As I read subsection 2 of 17.7, the "or" means that the following is sufficient:
> record a video of the entire Root CA Key Pair generation process, and
> have a Qualified Auditor issue a report opining that the CA followed its [written] key ceremony during its Key and Certificate generation process and the controls used to ensure the integrity and confidentiality of the Key Pair.   This differs from section 17.7 of the EV Guidelines, which states "the Root CA Key Pair generation ceremony MUST be witnessed by the CA's Qualified Auditor in order to observe the process and the controls over the integrity and confidentiality of the Root CA Key Pairs produced."
>
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of i-barreira at izenpe.net
> Sent: Wednesday, July 23, 2014 5:13 AM
> To: gerv at mozilla.org; richard.trevorah at tScheme.org; kirk_hall at trendmicro.com; public at cabforum.org
> Subject: Re: [cabfpub] BRs, audits and historical point-in-time events
>
> For this particular case, I can say that the first time we were audited (independently of the BRs) for ETSI qualified certs, of course we already had the root in place, and the auditor came and follow the procedure checking it and comparing with the video.
> There was a ceremony master who was indicating, saying, which were going to be the next steps, who were involved and who they had to do and for the auditor was easy to follow and check.
> I don´t see a major issue here.
>
>
> Iñigo Barreira
> Responsable del Área técnica
> i-barreira at izenpe.net
> 945067705
>
>
> ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
> ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.
>
>
> -----Mensaje original-----
> De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Gervase Markham Enviado el: miércoles, 23 de julio de 2014 12:53
> Para: tScheme Technical Manager; kirk_hall at trendmicro.com; 'cabfpub'
> Asunto: Re: [cabfpub] BRs, audits and historical point-in-time events
>
> On 23/07/14 11:38, tScheme Technical Manager wrote:
>> I must say that I find it hard to imagine what retrospective
>> requirement could be resolved by script and video - "only three people in the room"
>> might do it.
> Well, these are the requirements of the BRs:
>
> For Root CA Key Pairs created after the Effective Date ... the CA SHALL:
> 1. prepare and follow a Key Generation Script, 2. have a Qualified Auditor witness the Root CA Key Pair generation process or record a video of the entire Root CA Key Pair generation process 3. have a Qualified Auditor issue a report opining that the CA followed its key ceremony during its Key and Certificate generation process and the controls used to ensure the integrity and confidentiality of the Key Pair.
>
> The question is: if a CA has done 1) and 2), can the Qualified Auditor, perhaps with reference to the script and video, issue the report mentioned in 3) even if they were unaware of these paragraphs of requirements at the time?
>
> The auditor needs to opine that the CA followed its ceremony. Would reviewing the video and script allow them to opine that?
>
> The auditor needs to opine that (and the grammar in the BRs seems a little odd here) the CA used controls to ensure the integrity and confidentiality of the key pair. Would reviewing the script and video allow them to opine that?
>
> If the answer to those two questions is yes, then we are sorted.
>
> What do you think it is?
>
>> I though the BRs put stricter requirements on the CA in terms of how
>> it performs and secures it processes - unlikely to be evidenced by S &
>> V - and on its Certificate contents and CPs - which presumably could
>> be analysed post-event to see if they would have complied at the time.
> Can you give examples of things that you think 17.7 requires auditors to check, which would not be evidenced by the S & V?
>
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3663 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20140723/693e2c3c/attachment.bin 


More information about the Public mailing list