[cabfpub] WebTrust for CA - New Criteria for CABF's Consideration

Kirk Hall Kirk.Hall at entrustdatacard.com
Wed Jul 5 22:02:22 MST 2017 

Thanks, Jeff, very clear.  We will discuss on our teleconference tomorrow.

From: Jeff Ward [mailto:jfward at bdo.com]
Sent: Wednesday, July 5, 2017 9:02 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: [EXTERNAL]RE: WebTrust for CA - New Criteria for CABF's Consideration

Hi Kirk, thanks for the note.  To clarify, we are asking the CABF to approve the suggested criteria to WebTrust for Certification Authorities, which will be added to existing v2.1 criteria.  We are not proposing these be added to the BRs.

We are asking the CABF to review and approve the criteria to go into this version.  These changes address issues/events that are more common today but are not contemplated in the current v2.0.  The criteria in 2.0 are based on ISO21188.  These additions and changes would help keep the WT criteria relevant in today's environment.  Our WebTrust Task Force is not in the business of creating criteria, as we base our audit procedures on frameworks that are publicly available.  The CABF meets this definition so having you approve these changes will allow us to include them in our criteria originally created from the ISO standard.

Please let me know if I can clarify further.  Thanks Kirk.

Jeff

Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH
Office Managing Partner & National Managing Partner Third Party Attestation Services
314-889-1220 (Direct)    347-1220 (Internal)
314-889-1221 (Fax)
jfward at bdo.com<mailto:jfward at bdo.com>

BDO
101 S Hanley Rd, #800
St. Louis, MO 63105
UNITED STATES
314-889-1100
www.bdo.com<http://www.bdo.com>

Please consider the environment before printing this e-mail

[BDOC Networking Award]
From: Kirk Hall [mailto:Kirk.Hall at entrustdatacard.com]
Sent: Wednesday, July 5, 2017 1:16 PM
To: Jeff Ward <jfward at bdo.com<mailto:jfward at bdo.com>>; CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Subject: WebTrust for CA - New Criteria for CABF's Consideration

Attention: This email was sent from someone outside of BDO USA. Always use caution when opening attachments or clicking links from unknown senders or when receiving unexpected emails.
Jeff - I apologize for my slowness in responding.

As to your message below (and attachment) - the WebTrust for CAs Task Force is asking us to add appropriate language to the BRs to add the requirements shown in the attached draft for WebTrust for CAs (NOT for BR WebTrust), and the proposal is to modify existing WTCA Sec. 5 and add new WTCA Sec. 9 and 10 - correct?

I'm guessing any changes would have to go into the BRs, as that's the only clear place to put them.

Do you (and/or the Task Force) want some time to discuss in more detail why you want the added criteria?  Your explanation below is pretty good, but let us know if you have seen specific problems that will help us craft language.

We will discuss on our call tomorrow whether this should be a ballot from a Working Group, or whether a few of us should simply deconstruct your WTCA language and create a ballot directly.

Thanks.

From: Jeff Ward [mailto:jfward at bdo.com]
Sent: Friday, June 23, 2017 10:22 AM
To: public at cabforum.org<mailto:public at cabforum.org>
Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>>; Ben Wilson <ben.wilson at digicert.com<mailto:ben.wilson at digicert.com>>
Subject: [EXTERNAL]WebTrust for CA - New Criteria for CABF's Consideration

As mentioned during our presentation at the face-to-face meeting in Berlin, the WebTrust for Certification Authorities Task Force has proposed new criteria be added to WebTrust for Certification Authorities to be included in a new version, 2.1.  The changes are to cover event based activities that are not currently addressed in the WebTrust criteria and would add consistency in their treatment for auditors and CAs alike.  Since they are event based, they should not cause any concerns for CAs when they become effective.  Specifically, the added criteria relate to the following:

4.5  CA Key Archival and Destruction

4.9  CA Key Transportation

4.10 CA Key Migration

Please see the attached document.  It is in a tracked changes format so you can see what new criteria we are suggesting in 4.5, as well as the addition of sections 4.9 and 4.10.  The criteria that are included today are based on ISO 21188.  Since these proposed changes are not part of that standard, we need a public group (CABF qualifies as such) to approve the criteria.

We would appreciate the CABF's review and balloting to approve these changes as soon as possible so we can release the new version, 2.1.

Please let me know if you have any questions.

On behalf of the WebTrust for Certification Authorities Task Force,

Jeff Ward
Chairman

Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH
Office Managing Partner & National Managing Partner Third Party Attestation Services
(SOC/WebTrust/Cybersecurity)
314-889-1220 (Direct)    347-1220 (Internal)
314-889-1221 (Fax)
jfward at bdo.com<mailto:jfward at bdo.com>

BDO
101 S Hanley Rd, #800
St. Louis, MO 63105
UNITED STATES
314-889-1100
www.bdo.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bdo.com&data=02%7C01%7Cjfward%40bdo.com%7Cd19c37bf88614ed84eda08d4c3d1e954%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636348753731915754&sdata=4sLoKo1RAbcQFTfO4PKObspRlpH%2Fa%2Fc4%2F3dObqYKuOY%3D&reserved=0>

Please consider the environment before printing this e-mail

[BDOC Networking Award]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170706/fb5a7fc5/attachment-0001.html>

More information about the Public mailing list