[cabfpub] Ballot proposal - Update Section 8.4 for CA audit criteria

Dimitris Zacharopoulos jimmy at it.auth.gr
Thu Apr 19 10:32:16 MST 2018 


On 19/4/2018 7:35 μμ, Tim Hollebeek wrote:
>
> Might as well fix all the audit references while we’re at it …
>
> -Tim
>

Yes, we should take care of all criteria versions as I mentioned in 
replying to Peter, and allow for newer versions as well. For this 
particular issue of WebTrust for CAs, according to 
http://www.webtrust.org/principles-and-criteria/item83172.aspx, it seems 
that 2.0 is actively used for audit periods that begin before Nov 1, 
2017. If I understand this correctly, we would be able to remove 2.0 
from the Baseline Requirements only after Nov 1, 2018.

Is this correct?

Dimitris.



> *From:*Public [mailto:public-bounces at cabforum.org] *On Behalf Of *Jeff 
> Ward via Public
> *Sent:* Thursday, April 19, 2018 9:34 AM
> *To:* Ryan Sleevi <sleevi at google.com>; CA/Browser Forum Public 
> Discussion List <public at cabforum.org>; Dimitris Zacharopoulos 
> <jimmy at it.auth.gr>
> *Subject:* Re: [cabfpub] Ballot proposal - Update Section 8.4 for CA 
> audit criteria
>
> Not sure if it matters a great deal, but the reference to WebTrust for 
> CA should be version 2.1, not 2.0.
>
> *Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH*
> Office Managing Partner & National Leader Third Party Attestation 
> (SOC/WebTrust/Cybersecurity)
> 314-889-1220 (Direct)    347-1220 (Internal)
> 314-889-1221 (Fax)
> jward at bdo.com <mailto:jward at bdo.com>
>
> *BDO*
> 101 S Hanley Rd, Suite 800
> St. Louis, MO 63105
> UNITED STATES
> 314-889-1100
> _www.bdo.com <http://www.bdo.com>_
>
> /Please consider the environment before printing this e-mail/
>
> *From:*Public [mailto:public-bounces at cabforum.org] *On Behalf Of *Ryan 
> Sleevi via Public
> *Sent:* Monday, April 16, 2018 9:21 AM
> *To:* Dimitris Zacharopoulos <jimmy at it.auth.gr 
> <mailto:jimmy at it.auth.gr>>; CA/Browser Forum Public Discussion List 
> <public at cabforum.org <mailto:public at cabforum.org>>
> *Subject:* Re: [cabfpub] Ballot proposal - Update Section 8.4 for CA 
> audit criteria
>
> /*Attention: This email was sent from someone outside of BDO USA. 
> Always use caution when opening attachments or clicking links from 
> unknown senders or when receiving unexpected emails.*/
>
> On Sun, Apr 15, 2018 at 2:18 AM, Dimitris Zacharopoulos via Public 
> <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>
>
>     I am looking for two endorsers for the following ballot.
>
>     Dimitris.
>
>     *Ballot XXX - Update Section 8.4 for CA audit criteria*
>
>     The following motion has been proposed by Dimitris Zacharopoulos
>     of HARICA and endorsed by ___ and ___
>
>     *Background*:
>
>     Section 8.4 of the Baseline Requirements describes the audit
>     criteria for CAs that issue Publicly-Trusted SSL/TLS Certificates.
>     This ballot attempts to achieve two things:
>
>      1. Remove the old ETSI TS documents
>      2. Align the WebTrust
>         <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cabforum.org%2Fwiki%2FWebTrust&data=02%7C01%7Cjward%40bdo.com%7Cefc0815200a54f92dbf908d5a3a571a5%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636594853327607164&sdata=8xxyL5y4ru1ryYPo35ybbZcRfoYyoFJqbSNpNNqgDZE%3D&reserved=0>
>         and ETSI requirements
>
>     "WebTrust
>     <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cabforum.org%2Fwiki%2FWebTrust&data=02%7C01%7Cjward%40bdo.com%7Cefc0815200a54f92dbf908d5a3a571a5%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636594853327607164&sdata=8xxyL5y4ru1ryYPo35ybbZcRfoYyoFJqbSNpNNqgDZE%3D&reserved=0>
>     for Certification Authorities" is equivalent to "ETSI EN 319 401"
>     and "WebTrust
>     <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cabforum.org%2Fwiki%2FWebTrust&data=02%7C01%7Cjward%40bdo.com%7Cefc0815200a54f92dbf908d5a3a571a5%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636594853327607164&sdata=8xxyL5y4ru1ryYPo35ybbZcRfoYyoFJqbSNpNNqgDZE%3D&reserved=0>
>     Principles and Criteria for Certification Authorities – SSL
>     Baseline with Network Security" is the equivalent of "ETSI EN 319
>     411-1".
>
>     *-- MOTION BEGINS --*
>
>     Replace the first two numbered items in section 8.4 of the
>     Baseline Requirements from:
>
>      1. WebTrust
>         <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cabforum.org%2Fwiki%2FWebTrust&data=02%7C01%7Cjward%40bdo.com%7Cefc0815200a54f92dbf908d5a3a571a5%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636594853327607164&sdata=8xxyL5y4ru1ryYPo35ybbZcRfoYyoFJqbSNpNNqgDZE%3D&reserved=0>
>         for Certification Authorities v2.0;
>      2. A national scheme that audits conformance to ETSI TS 102 042 /
>         ETSI EN 319 411-1; or
>
>     to:
>
>      1. WebTrust
>         <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cabforum.org%2Fwiki%2FWebTrust&data=02%7C01%7Cjward%40bdo.com%7Cefc0815200a54f92dbf908d5a3a571a5%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636594853327763420&sdata=nF1OV4mtZ2VQF6ucGxisGOgndqhfDJYULFK4ZGNpOr4%3D&reserved=0>
>         Principles and Criteria for Certification Authorities – SSL
>         Baseline with Network Security;
>      2. A national scheme that audits conformance to ETSI EN 319 411-1; or
>
> As noted several times that this has come up in the past, your 
> proposed change to #1 is meaningfully and substantially different than 
> what is currently required. You are proposing *changing* the audit 
> scheme to a more restrictive set. That's something in the past that 
> browsers have objected to, and for good reason.
>
>
>
> /*BDO USA, LLP, a Delaware limited liability partnership, is the U.S. 
> member of BDO International Limited, a UK company limited by 
> guarantee, and forms part of the international BDO network of 
> independent member firms. */*/
>
> /BDO is the brand name for the BDO network and for each of the BDO 
> Member Firms./
>
> /IMPORTANT NOTICES/
>
> /The contents of this email and any attachments to it may contain 
> privileged and confidential information from BDO USA, LLP. This 
> information is only for the viewing or use of the intended recipient. 
> If you are not the intended recipient, you are hereby notified that 
> any disclosure, copying, distribution or use of, or the taking of any 
> action in reliance upon, the information contained in this e-mail, or 
> any of the attachments to this e-mail, is strictly prohibited and that 
> this e-mail and all of the attachments to this e-mail, if any, must be 
> immediately returned to BDO USA, LLP or destroyed and, in either case, 
> this e-mail and all attachments to this e-mail must be immediately 
> deleted from your computer without making any copies hereof. If you 
> have received this e-mail in error, please notify BDO USA, LLP by 
> e-mail immediately.//*
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180419/5e998984/attachment-0001.html>

More information about the Public mailing list