[cabfpub] Bylaws: Update Membership Criteria (section 2.1)

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Tue Jan 29 07:19:23 UTC 2019



On 28/1/2019 8:48 μ.μ., Ryan Sleevi via Public wrote:
>
>
> On Thu, Jan 24, 2019 at 2:30 PM Dimitris Zacharopoulos (HARICA) via 
> Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>
>
>
>     On 24/1/2019 8:16 μ.μ., Wayne Thayer via Public wrote:
>>     On today's call we discussed a number of changes to the bylaws
>>     aimed at clarifying the rules for membership. The proposal for
>>     section 2.1(a)(1) resulting from today's discussion is:
>>
>>         Certificate Issuer: The member organization operates a
>>         certification authority that has a publicly-available audit
>>         report or attestation statement that meets the following
>>         requirements:
>>         * Is based on the full, current version of the WebTrust for
>>         CAs, ETSI EN 319 411-1 , or ETSI EN 319 411-2 audit criteria
>>
> Using the example reports for discussion ( 
> http://www.webtrust.org/practitioner-qualifications/docs/item85808.pdf )
>
> If a CA does not escrow CA keys, does not provide subscriber key 
> generation services, or suspension services, does that count as being 
> based on the "full, current version"? (Page 11, paragraph 2)

I think so, yes. Based on the exact CA operations, the exact audit scope 
is determined. The Forum has set the WebTrust for CAs and ETSI EN 319 
411-1 as an absolute minimum that includes attestation of the existence 
of reasonable organizational and technical controls. If you recall, I 
had proposed that for the SCWG we should also require WebTrust for CAs 
Baseline and NetSec because they are already included in ETSI EN 319 
411-1 and are more suitable for SSL/TLS Certificates. If a CA obtains a 
WebTrust for CAs or ETSI EN 319 411-1 audit report, it means that the 
core CA services are there and are operational.

Root programs have audit requirements exceptions and this applies 
equally to Microsoft and Mozilla. I don't disagree to being more 
inclusive but I believe the Forum must have objective and specific 
requirements based on some international standards and not just 
government regulations.


>>         * Covers a period of at least 60 days
>>
> I'm curious for feedback from the ETSI folks, but perhaps a more 
> inclusive definition would be
> - "Reports on the operational effectiveness of controls for a historic 
> period of at least 60 days"
>
> The context being that ETSI is a certification scheme, but as part of 
> that certification, the CAB "may" ("should") examine the historic 
> evidence for some period of time. 7.9 of 319 403 only requires "since 
> the previous audit"

I am not representing ETSI or ACAB'c but if there are concerns with this 
requirement we can solve this issue using the language proposed by Wayne 
"Covers a period of at least 60 days". I would use "Covers a period of 
operations of at least 60 days".

>>         * Covers a period that ends within the past 15 months
>>
> This may also be resting on the BR definition of Audit Period. I can 
> see similar ambiguities arising with respect to ETSI and that its 
> certification decisions last two years, not one, thus it might cause a 
> CA to believe that they have up to three years from first completing 
> their audit (that is, if the letter is issued at T=2 years, covering 
> T=0 to T=2, and is valid to T=4 years, then the CA may believe it's 
> covered until T=5 years and 3 months)
>
> There's also the potential of surveillance audits conducted over 
> specific issues being resolved, without being a full recertification 
> (e.g. if the CAB classified it as a minor non-conformity)
>
> "With no more than 27 months having elapsed since the beginning of the 
> reported-on period and no more than 15 months since the end of the 
> reported-on period"
>
> It's a mouthful, but perhaps there's a more concise way to capture 
> that unambiguously.

AFAIK, Microsoft still requires annual full audits even for non-SSL 
certificate issuance. In any case, I prefer a mouthful than an ambiguous 
requirement.


Dimitris.

>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20190129/ba2ed4ce/attachment-0003.html>


More information about the Public mailing list