[cabfpub] BRs, audits and historical point-in-time events

i-barreira at izenpe.net i-barreira at izenpe.net
Wed Jul 23 11:13:02 UTC 2014 

For this particular case, I can say that the first time we were audited (independently of the BRs) for ETSI qualified certs, of course we already had the root in place, and the auditor came and follow the procedure checking it and comparing with the video.
There was a ceremony master who was indicating, saying, which were going to be the next steps, who were involved and who they had to do and for the auditor was easy to follow and check.
I don´t see a major issue here.


Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net
945067705


ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.


-----Mensaje original-----
De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Gervase Markham
Enviado el: miércoles, 23 de julio de 2014 12:53
Para: tScheme Technical Manager; kirk_hall at trendmicro.com; 'cabfpub'
Asunto: Re: [cabfpub] BRs, audits and historical point-in-time events

On 23/07/14 11:38, tScheme Technical Manager wrote:
> I must say that I find it hard to imagine what retrospective 
> requirement could be resolved by script and video - "only three people in the room"
> might do it.

Well, these are the requirements of the BRs:

For Root CA Key Pairs created after the Effective Date ... the CA SHALL:
1. prepare and follow a Key Generation Script, 2. have a Qualified Auditor witness the Root CA Key Pair generation process or record a video of the entire Root CA Key Pair generation process 3. have a Qualified Auditor issue a report opining that the CA followed its key ceremony during its Key and Certificate generation process and the controls used to ensure the integrity and confidentiality of the Key Pair.

The question is: if a CA has done 1) and 2), can the Qualified Auditor, perhaps with reference to the script and video, issue the report mentioned in 3) even if they were unaware of these paragraphs of requirements at the time?

The auditor needs to opine that the CA followed its ceremony. Would reviewing the video and script allow them to opine that?

The auditor needs to opine that (and the grammar in the BRs seems a little odd here) the CA used controls to ensure the integrity and confidentiality of the key pair. Would reviewing the script and video allow them to opine that?

If the answer to those two questions is yes, then we are sorted.

What do you think it is?

> I though the BRs put stricter requirements on the CA in terms of how 
> it performs and secures it processes - unlikely to be evidenced by S & 
> V - and on its Certificate contents and CPs - which presumably could 
> be analysed post-event to see if they would have complied at the time.

Can you give examples of things that you think 17.7 requires auditors to check, which would not be evidenced by the S & V?

Gerv
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list