[cabfpub] Audits and RAs

[Ryan Sleevi]

On Tue, Jun 18, 2019 at 1:35 PM Jeremy Rowley via Public <
public at cabforum.org> wrote:

> I think I heard the WebTrust auditors say last week that they have
> finished or nearly finished the WebTrust for RAs criteria. The language
> from Section 8.4 of the guidelines reads:
>
>
>
> “For Delegated Third Parties which are not Enterprise RAs,, then the CA
> SHALL obtain an audit report, issued under the auditing standards that
> underlie the accepted audit schemes found in Section 8.1, that provides an
> opinion whether the Delegated Third Party’s performance complies with
> either the Delegated Third Party’s practice statement or the CA’s
> Certificate Policy and/or Certification Practice Statement. If the opinion
> is that the Delegated Third Party does not comply, then the CA SHALL not
> allow the Delegated Third Party to continue performing delegated functions.”
>
>
>
> We know some CAs use RAs that are not audited under WebTrust/ETSI because
> “there is no appropriate audit standard”. Now that there is an audit
> standards, it seems to me this criteria goes into effect immediately and
> any RA not audited would cause the CA to be out of compliance with the BRs.
> No additional ballot required since the concept is already baked into the
> BRs.
>
>
>
> Anyone have a different interpretation?  If not, when is the exact date
> that the audits should be done? Already?
>

TL;DR: Don't worry. I don't think there's an impending doom date.

Officially, Chrome is not planning to immediately enforce the WebTrust for
RAs audit, and is still evaluating the most effective means to use and
consume this.

For best results, however, don't use RAs ;)

Here's the alternative interpretation I'll over you:

The "auditing standards that underlie the accepted audit criteria" are, in
the case of WebTrust, are SSAE 18 (US), CSAE 3000 - 3001 (CA), and ISAE
3000 (elsewhere), with potentially jurisidiction-specific
(self-?)regulatory requirements or modifications, similar to the US/CA
harmonization with IFAC.

The "auditing standards that underlie the accepted audit criteria" are, for
ETSI EN 319 411-1 and ETSI EN 319 403, either (depending on your
perspective of "standard"), going to be seen as:
  a) ETSI EN 319 411-1 / ETSI EN 319 403
  b) ISO/IEC 17065

The former takes the view that the ETSI ESI documents are themselves the
standards for auditing, in that they define a set of standards appropriate
for "an" audit scheme, although absent the eIDAS Regulation lacks any
normative guidance about who the defining authority is for the appropriate
auditor (compared to IFAC and its constituent organizations, which does).

The latter takes the view that the ETSI ESI documents are themselves
adopted from the ISO/IEC standards and guidance on the development of
certification schemes (which covers a broad scheme of activities), and that
any scheme derived from the principles of 17065 is suitably empowered. It,
similarly, lacks the guidance as to who can perform the assessments, since
that is the role of the scheme operator (e.g. EU in the case of eIDAS)

The "nice" thing about these interpretations is that for CAs that are
concerned about being beyond reproach, but still make the (unfortunate)
choice to make use of delegated third parties, they can read these
requirements as using the relevant criteria from WebTrust or ETSI, under
the existing supervisory scheme, and argue compliance. CAs that don't like
to/don't want to know what their RAs are doing, and aren't as concerned
about security, could reasonably argue that the applicability of the
underlying standard means the CA defines what the expectations are (for
example, an "Agreed Upon Procedures" report - which I'm sure Don and Jeff
will jump in mentioning the CSAE limitations there), and then allow
'anyone' to perform that audit, modulo the IFAC standards with respect to
professional licensure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20190618/b0b81e84/attachment-0003.html>