[cabfpub] Form of audit necessary for CA membership in CA/Browser Forum
benedikt at cacert.org
Tue Apr 3 10:03:44 UTC 2018
I just saw you are mentioning ETSI 102 042 and ETSI 101 456, both
standards are now "historical" and therefore not longer valid auditing
standards. ETSI regrouped auditing standards under 319 401 and 319 411.
Please consider this when re-writing the membership application form.
Benedikt Heintel - benedikt at cacert.org
CAcert.org - Secure Together
Am 02.04.2018 um 02:22 schrieb Kirk Hall via Public:
> This email relates to an Agenda topic for discussion on our
> teleconference this Thursday, April 5.
> In recent discussion of a CA membership application, there was
> disagreement on whether the “audit” that a CA applicant must present
> needs to be a Period of Time (POT) audit, also called a “performance”
> audit, or whether it is sufficient for the CA applicant to have only a
> Point in Time (PIT) audit, also called a “readiness” audit. (This
> issue was not critical to the application being considered by the Forum.)
> As a practical matter these days, CAs generally start their first POT
> audit for a specific root on the date of their successful PIT audit,
> and then maintain POT audits continuously thereafter. Under WebTrust,
> the minimum initial time period for a POT audit is two months, so it
> can be completed relatively quickly (I’m not sure about ETSI minimum
> time period for the initial POT audit).
> Other forms of auditor reports, such as a “migration audit report”, is
> not considered a WebTrust for CAs Audit but rather an Agreed Upon
> Procedures report which is for management use only, and so would not
> qualify for CA membership purposes.
> I have inserted a copy of excerpts from Bylaw 2.1 below, parsed to
> make the separate requirements to be a CA member clearer.
> It’s true that our Bylaw 2.1 only refers to an “audit report” without
> specifying whether this is a POT or PIT audit, or either. However, I
> do note that Bylaw 2.1(b)(6) which lists information a CA applicant
> must provide in connection with its membership application requires
> the “URL of the current qualifying _performance_ audit report” – the
> term “performance audit report” typically means a POT audit, so that
> may be a clue that only a successful POT audit is acceptable under
> Bylaw 2.1(a).
> On our Thursday call, let’s not argue about what current Bylaw 2.1(a)
> means, but instead let’s talk about what we think Bylaw 2.1 should
> require for a new CA applicant – a POT audit, a PIT audit, or either.
> If needed, I can set up a Doodle poll so people can vote on the
> question. After full discussion, let’s then amend Bylaw 2.1(a) so
> it’s clear on that point. I personally am in favor of accepting a POT
> audit only (even for a minimum two month period), as I think that
> shows the CA is “real” and operating successfully, but I want to hear
> what the advocates of accepting a PIT audit think.
> *Bylaw 2.1 Qualifying for Forum Membership*
> (a) CA/Browser Forum members shall meet at least one of the following
> criteria. ***
> (2) _Root CA_:
> 1.The member organization operates a certification authority
> 2.that _has a current and successful __WebTrust__for CAs_, or _ETSI
> 102042 or ETSI 101456 audit report_ prepared by a properly-qualified
> auditor, and
> 3.that actively issues certificates to subordinate CAs that, in turn,
> actively issue certificates to Web servers
> 4.that are openly accessible from the Internet,
> 5.such certificates being treated as valid when using a browser
> created by a Browser member.
> Applicants that are _not actively issuing certificates_ but otherwise
> meet membership criteria may be granted Associate Member status under
> Bylaw Sec. 3.1 for a period of time to be designated by the Forum. ***
> (b) Applicants should supply the following information: ***
> (6) URL of the current qualifying _performance_ audit report. ***
> Public mailing list
> Public at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3890 bytes
Desc: S/MIME Cryptographic Signature
More information about the Public