[cabfpub] Ballot proposal - Update Section 8.4 for CA audit criteria

Jeff Ward jward at bdo.com
Thu Apr 19 10:52:10 MST 2018


That is correct.  Version 2.0 is still in cycle, but for periods beginning on or after 11/1 will move to 2.1.  You may want to consider dropping the version number(s) and just reference to the CPA Canada matrix for applicability.  Just a thought.

Jeff

Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH
Office Managing Partner & National Leader Third Party Attestation (SOC/WebTrust/Cybersecurity)
314-889-1220 (Direct)    347-1220 (Internal)
314-889-1221 (Fax)
jward at bdo.com<mailto:jward at bdo.com>

BDO
101 S Hanley Rd, Suite 800
St. Louis, MO 63105
UNITED STATES
314-889-1100
www.bdo.com<http://www.bdo.com>

Please consider the environment before printing this e-mail
From: Dimitris Zacharopoulos [mailto:jimmy at it.auth.gr]
Sent: Thursday, April 19, 2018 12:32 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com>; Jeff Ward <jward at bdo.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>; Ryan Sleevi <sleevi at google.com>
Subject: Re: [cabfpub] Ballot proposal - Update Section 8.4 for CA audit criteria

Attention: This email was sent from someone outside of BDO USA. Always use caution when opening attachments or clicking links from unknown senders or when receiving unexpected emails.

On 19/4/2018 7:35 μμ, Tim Hollebeek wrote:
Might as well fix all the audit references while we’re at it …

-Tim

Yes, we should take care of all criteria versions as I mentioned in replying to Peter, and allow for newer versions as well. For this particular issue of WebTrust for CAs, according to http://www.webtrust.org/principles-and-criteria/item83172.aspx<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.webtrust.org%2Fprinciples-and-criteria%2Fitem83172.aspx&data=02%7C01%7Cjward%40bdo.com%7Ca037aba9b19b41c5275108d5a61b861e%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636597559512558011&sdata=cXEc857C6fEJp2Rjtb1RUXYo%2B34OnxeY4b1GtDKnUXc%3D&reserved=0>, it seems that 2.0 is actively used for audit periods that begin before Nov 1, 2017. If I understand this correctly, we would be able to remove 2.0 from the Baseline Requirements only after Nov 1, 2018.

Is this correct?

Dimitris.





From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Jeff Ward via Public
Sent: Thursday, April 19, 2018 9:34 AM
To: Ryan Sleevi <sleevi at google.com><mailto:sleevi at google.com>; CA/Browser Forum Public Discussion List <public at cabforum.org><mailto:public at cabforum.org>; Dimitris Zacharopoulos <jimmy at it.auth.gr><mailto:jimmy at it.auth.gr>
Subject: Re: [cabfpub] Ballot proposal - Update Section 8.4 for CA audit criteria

Not sure if it matters a great deal, but the reference to WebTrust for CA should be version 2.1, not 2.0.

Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH
Office Managing Partner & National Leader Third Party Attestation (SOC/WebTrust/Cybersecurity)
314-889-1220 (Direct)    347-1220 (Internal)
314-889-1221 (Fax)
jward at bdo.com<mailto:jward at bdo.com>

BDO
101 S Hanley Rd, Suite 800
St. Louis, MO 63105
UNITED STATES
314-889-1100
www.bdo.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bdo.com&data=02%7C01%7Cjward%40bdo.com%7Ca037aba9b19b41c5275108d5a61b861e%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636597559512568019&sdata=MDixd3GzuZoNY%2Bb8nH%2BQ%2FC3%2BWF2sJP6ighz0%2FTo85Zo%3D&reserved=0>

Please consider the environment before printing this e-mail
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi via Public
Sent: Monday, April 16, 2018 9:21 AM
To: Dimitris Zacharopoulos <jimmy at it.auth.gr<mailto:jimmy at it.auth.gr>>; CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Subject: Re: [cabfpub] Ballot proposal - Update Section 8.4 for CA audit criteria

Attention: This email was sent from someone outside of BDO USA. Always use caution when opening attachments or clicking links from unknown senders or when receiving unexpected emails.


On Sun, Apr 15, 2018 at 2:18 AM, Dimitris Zacharopoulos via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:

I am looking for two endorsers for the following ballot.

Dimitris.

Ballot XXX - Update Section 8.4 for CA audit criteria

The following motion has been proposed by Dimitris Zacharopoulos of HARICA and endorsed by ___ and ___

Background:

Section 8.4 of the Baseline Requirements describes the audit criteria for CAs that issue Publicly-Trusted SSL/TLS Certificates. This ballot attempts to achieve two things:

  1.  Remove the old ETSI TS documents

2.     Align the WebTrust<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cabforum.org%2Fwiki%2FWebTrust&data=02%7C01%7Cjward%40bdo.com%7Cefc0815200a54f92dbf908d5a3a571a5%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636594853327607164&sdata=8xxyL5y4ru1ryYPo35ybbZcRfoYyoFJqbSNpNNqgDZE%3D&reserved=0> and ETSI requirements

"WebTrust<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cabforum.org%2Fwiki%2FWebTrust&data=02%7C01%7Cjward%40bdo.com%7Cefc0815200a54f92dbf908d5a3a571a5%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636594853327607164&sdata=8xxyL5y4ru1ryYPo35ybbZcRfoYyoFJqbSNpNNqgDZE%3D&reserved=0> for Certification Authorities" is equivalent to "ETSI EN 319 401" and "WebTrust<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cabforum.org%2Fwiki%2FWebTrust&data=02%7C01%7Cjward%40bdo.com%7Cefc0815200a54f92dbf908d5a3a571a5%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636594853327607164&sdata=8xxyL5y4ru1ryYPo35ybbZcRfoYyoFJqbSNpNNqgDZE%3D&reserved=0> Principles and Criteria for Certification Authorities – SSL Baseline with Network Security" is the equivalent of "ETSI EN 319 411-1".

-- MOTION BEGINS --

Replace the first two numbered items in section 8.4 of the Baseline Requirements from:

1.     WebTrust<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cabforum.org%2Fwiki%2FWebTrust&data=02%7C01%7Cjward%40bdo.com%7Cefc0815200a54f92dbf908d5a3a571a5%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636594853327607164&sdata=8xxyL5y4ru1ryYPo35ybbZcRfoYyoFJqbSNpNNqgDZE%3D&reserved=0> for Certification Authorities v2.0;

  1.  A national scheme that audits conformance to ETSI TS 102 042 / ETSI EN 319 411-1; or

to:

1.     WebTrust<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cabforum.org%2Fwiki%2FWebTrust&data=02%7C01%7Cjward%40bdo.com%7Cefc0815200a54f92dbf908d5a3a571a5%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C636594853327763420&sdata=nF1OV4mtZ2VQF6ucGxisGOgndqhfDJYULFK4ZGNpOr4%3D&reserved=0> Principles and Criteria for Certification Authorities – SSL Baseline with Network Security;

  1.  A national scheme that audits conformance to ETSI EN 319 411-1; or

As noted several times that this has come up in the past, your proposed change to #1 is meaningfully and substantially different than what is currently required. You are proposing *changing* the audit scheme to a more restrictive set. That's something in the past that browsers have objected to, and for good reason.


BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms.

BDO is the brand name for the BDO network and for each of the BDO Member Firms.

IMPORTANT NOTICES

The contents of this email and any attachments to it may contain privileged and confidential information from BDO USA, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO USA, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies hereof. If you have received this e-mail in error, please notify BDO USA, LLP by e-mail immediately.



BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms.

BDO is the brand name for the BDO network and for each of the BDO Member Firms.

IMPORTANT NOTICES

The contents of this email and any attachments to it may contain privileged and confidential information from BDO USA, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO USA, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies hereof. If you have received this e-mail in error, please notify BDO USA, LLP by e-mail immediately.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180419/4e5dd2bb/attachment-0001.html>


More information about the Public mailing list