[cabfpub] BRs, audits and historical point-in-time events
Ben Wilson
Ben.Wilson at digicert.com
Wed Jul 23 16:52:27 UTC 2014
As I read subsection 2 of 17.7, the "or" means that the following is sufficient:
record a video of the entire Root CA Key Pair generation process, and
have a Qualified Auditor issue a report opining that the CA followed its [written] key ceremony during its Key and Certificate generation process and the controls used to ensure the integrity and confidentiality of the Key Pair. This differs from section 17.7 of the EV Guidelines, which states "the Root CA Key Pair generation ceremony MUST be witnessed by the CA's Qualified Auditor in order to observe the process and the controls over the integrity and confidentiality of the Root CA Key Pairs produced."
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of i-barreira at izenpe.net
Sent: Wednesday, July 23, 2014 5:13 AM
To: gerv at mozilla.org; richard.trevorah at tScheme.org; kirk_hall at trendmicro.com; public at cabforum.org
Subject: Re: [cabfpub] BRs, audits and historical point-in-time events
For this particular case, I can say that the first time we were audited (independently of the BRs) for ETSI qualified certs, of course we already had the root in place, and the auditor came and follow the procedure checking it and comparing with the video.
There was a ceremony master who was indicating, saying, which were going to be the next steps, who were involved and who they had to do and for the auditor was easy to follow and check.
I don´t see a major issue here.
Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net
945067705
ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.
-----Mensaje original-----
De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Gervase Markham Enviado el: miércoles, 23 de julio de 2014 12:53
Para: tScheme Technical Manager; kirk_hall at trendmicro.com; 'cabfpub'
Asunto: Re: [cabfpub] BRs, audits and historical point-in-time events
On 23/07/14 11:38, tScheme Technical Manager wrote:
> I must say that I find it hard to imagine what retrospective
> requirement could be resolved by script and video - "only three people in the room"
> might do it.
Well, these are the requirements of the BRs:
For Root CA Key Pairs created after the Effective Date ... the CA SHALL:
1. prepare and follow a Key Generation Script, 2. have a Qualified Auditor witness the Root CA Key Pair generation process or record a video of the entire Root CA Key Pair generation process 3. have a Qualified Auditor issue a report opining that the CA followed its key ceremony during its Key and Certificate generation process and the controls used to ensure the integrity and confidentiality of the Key Pair.
The question is: if a CA has done 1) and 2), can the Qualified Auditor, perhaps with reference to the script and video, issue the report mentioned in 3) even if they were unaware of these paragraphs of requirements at the time?
The auditor needs to opine that the CA followed its ceremony. Would reviewing the video and script allow them to opine that?
The auditor needs to opine that (and the grammar in the BRs seems a little odd here) the CA used controls to ensure the integrity and confidentiality of the key pair. Would reviewing the script and video allow them to opine that?
If the answer to those two questions is yes, then we are sorted.
What do you think it is?
> I though the BRs put stricter requirements on the CA in terms of how
> it performs and secures it processes - unlikely to be evidenced by S &
> V - and on its Certificate contents and CPs - which presumably could
> be analysed post-event to see if they would have complied at the time.
Can you give examples of things that you think 17.7 requires auditors to check, which would not be evidenced by the S & V?
Gerv
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list