[cabfpub] Audit Criteria Clarification

Tue Mar 7 00:00:36 UTC 2017

Regarding the emails discussing audit criteria and related, I thought it might be helpful to provide some history as well as address some issues we face collectively.  While my views are from a WebTrust point of view based on my position as Chair of the WebTrust Task Force, the same principles would apply regardless of the type of audit.
I'd first like to offer a historical perspective.  Please keep in mind the initial release of WebTrust for Certification Authorities Principles, Version 1.0, was released in August 2000, prior to the creation of the CABF.  While the WebTrust for Certification Authorities Principles provided a solid foundation to assist CAs and Browsers alike, the WebTrust Task Force worked lockstep with the Forum to develop customized services to specifically address its needs. Over the years, additional audit engagements have been created as an "add on" to the WebTrust for Certification Authorities to include specific requirements for Baseline, Network Security, Extended Validation SSL, Extended Validation Code Signing, and Publicly Trusted Code Signing Certificates.  This list will continue to grow as the needs evolve for the Forum.
As you may know, when these customized services are created/updated by the WebTrust Task Force, we review the most recently approved requirements/changes as a starting point to establish the audit criteria.  We highlight those requirements that are not auditable and list them out in the appendix of our respective principles and criteria documents.  For CABF requirements that are auditable, we craft audit criteria based on our professional standards.  These documents are subject to review by the WebTrust Task Force typically on an annual basis, or as necessary based on the severity of the new/modified CABF requirements.
One of the recurring and problematic issues the Task Force faces when crafting audit criteria is dealing with International law.  For instance, conducting background checks is a great practice, but in some parts of the world is deemed to violate privacy laws.  In these cases, since we cannot require a CA to do something illegal, the law prevails over the underlying criteria.    In this case, the CA would still get a "clean" opinion.  Such potential conflicts are also addressed in the CABF Baseline Requirements in Section 9.16.3, Severability, capturing the same spirit as the audit requirements issue.
For another example, since the WebTrust audits are conducted based on specific versions of the CABF guidelines and updated from time to time, we could experience a case where CABF Requirements were changed but the audit criteria were not yet updated.  In this case, as was with the SHA-1 deprecation, a CA could be out of compliance with more updated CABF requirements, but still in compliance with the latest version of the WebTrust document.  In this unusual case, even though the CA would get a "clean opinion" for complying with the WebTrust criteria, and obviously out of compliance with the CABF requirements, the auditor would typically add an extra opinion in their report as an "Emphasis of a Matter" citing specific reference to the updated criteria that was not met.  The Browsers would then presumably take appropriate action regardless of whether or not the audit opinion was "clean" or not.
The WebTrust Task Force is comprised of volunteers with an expertise in PKI.  Members of the Task Force are either members of CPA Canada or the American Institute of Certified Public Accountants (AICPA), both of which govern our profession.  While the Task Force runs the program for the profession, ultimate approval of our documents rests with CPA Canada and the AICPA.
When first created, CPA Canada worked jointly with the AICPA, but since, has taken the primary role on the ongoing WebTrust matters, including licensing and seal issuance.  With Don Sheehy's retirement, we will now have the pleasure of working with him representing CPA Canada, so we are definitely excited about the added resource.
Thanks for the opportunity to offer my comments.
Jeff
Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH
National Managing Partner Third Party Attestation Services
314-889-1220 (Direct)    347-1220 (Internal)
314-889-1221 (Fax)
jfward at bdo.com<mailto:jfward at bdo.com>

BDO
101 S Hanley Rd, #800
St. Louis, MO 63105
UNITED STATES
314-889-1100
www.bdo.com<http://www.bdo.com>

Please consider the environment before printing this e-mail

[BDOC Networking Award]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170307/0efafb13/attachment-0002.html>