[cabfpub] WebTrust for CA - New Criteria for CABF's Consideration

Kirk Hall Kirk.Hall at entrustdatacard.com
Wed Jul 5 18:16:08 UTC 2017


Jeff - I apologize for my slowness in responding.

As to your message below (and attachment) - the WebTrust for CAs Task Force is asking us to add appropriate language to the BRs to add the requirements shown in the attached draft for WebTrust for CAs (NOT for BR WebTrust), and the proposal is to modify existing WTCA Sec. 5 and add new WTCA Sec. 9 and 10 - correct?

I'm guessing any changes would have to go into the BRs, as that's the only clear place to put them.

Do you (and/or the Task Force) want some time to discuss in more detail why you want the added criteria?  Your explanation below is pretty good, but let us know if you have seen specific problems that will help us craft language.

We will discuss on our call tomorrow whether this should be a ballot from a Working Group, or whether a few of us should simply deconstruct your WTCA language and create a ballot directly.

Thanks.

From: Jeff Ward [mailto:jfward at bdo.com]
Sent: Friday, June 23, 2017 10:22 AM
To: public at cabforum.org
Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com>; Ben Wilson <ben.wilson at digicert.com>
Subject: [EXTERNAL]WebTrust for CA - New Criteria for CABF's Consideration

As mentioned during our presentation at the face-to-face meeting in Berlin, the WebTrust for Certification Authorities Task Force has proposed new criteria be added to WebTrust for Certification Authorities to be included in a new version, 2.1.  The changes are to cover event based activities that are not currently addressed in the WebTrust criteria and would add consistency in their treatment for auditors and CAs alike.  Since they are event based, they should not cause any concerns for CAs when they become effective.  Specifically, the added criteria relate to the following:

4.5  CA Key Archival and Destruction

4.9  CA Key Transportation

4.10 CA Key Migration

Please see the attached document.  It is in a tracked changes format so you can see what new criteria we are suggesting in 4.5, as well as the addition of sections 4.9 and 4.10.  The criteria that are included today are based on ISO 21188.  Since these proposed changes are not part of that standard, we need a public group (CABF qualifies as such) to approve the criteria.

We would appreciate the CABF's review and balloting to approve these changes as soon as possible so we can release the new version, 2.1.

Please let me know if you have any questions.

On behalf of the WebTrust for Certification Authorities Task Force,

Jeff Ward
Chairman

Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH
Office Managing Partner & National Managing Partner Third Party Attestation Services
(SOC/WebTrust/Cybersecurity)
314-889-1220 (Direct)    347-1220 (Internal)
314-889-1221 (Fax)
jfward at bdo.com<mailto:jfward at bdo.com>

BDO
101 S Hanley Rd, #800
St. Louis, MO 63105
UNITED STATES
314-889-1100
www.bdo.com<http://www.bdo.com>

Please consider the environment before printing this e-mail

[BDOC Networking Award]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170705/020e261f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: WT4CA Controls 4.5 4.9 and 4.10.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 48534 bytes
Desc: WT4CA Controls 4.5 4.9 and 4.10.docx
URL: <http://cabforum.org/pipermail/public/attachments/20170705/020e261f/attachment-0001.docx>


More information about the Public mailing list