[cabfpub] Delegated Third Parties, Network Security Requirements, and Audits

Peter Bowen pzb at amzn.com
Sat May 14 01:57:29 UTC 2016

One of the agenda items for the F2F is the Network and Certificate System Security Requirements (NCSSR).  Unfortunately, I'm not going to be able to be in Bilbao, so I wanted to kick off a discussion on the list ahead of time. 

At the last Face to Face, the WebTrust representatives mentioned one of the items they think the Forum should consider addressing is   This did not get much discussion at the time, but I think it is really part of a larger topic around Delegated Third Parties (DTP) who are not RAs.

The type of DTPs vary.  At one end it is a security guard firm who handles data center security for a CA-operated data center or a colocation provider from whom the CA rents rack space.  At the other end, the CA could contract out their entire operation, including servers, software, operations and validation to a DTP.  Somewhere in the middle are DTPs offering "Infrastructure as a Service" and "Platform as a Service" which may be part of the technical foundation for a CA.

Regardless of scope, the NCSSR and Baseline Requirements do not make it clear how to handle DTPs.  The BRs seems to be mostly focused on DTPs who operate Registration Authorities.  There is not a lot of definition of what is appropriate for a DTP who is performing functions such as system management or software development.  This is compounded, I'm told, by current requirements in WebTrust that a single auditor must confirm compliance with all the criteria -- one auditor cannot rely upon the opinion of another auditor.  It is also not clear what a "partial" WebTrust audit would look like.  How is a non-RA DTP meant be audited under section 8 of the BRs?

I am sure our ETSI and WebTrust liaisons can chime in, but I would propose that CAs should be able to rely upon controls operated by a DTP   I also think that it is reasonable and should be allowable to have Certificate Systems for multiple CAs share the same physical zone and have multiple CAs rely upon the same controls and audit when they are using the same DTP or when the DTP is also a CA in their own right.

Does anyone else have opinions on how Delegated Third Parties should be handled?


More information about the Public mailing list