[cabfpub] Audits and RAs

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Tue Jun 18 19:28:17 UTC 2019 

I believe we discussed this at the CA/B Forum meeting in Cupertino where 
it was explained that an RA can be audited with the existing 
ETSI/WebTrust criteria by only listing the necessary criteria relevant 
to RA operations. So, for the ETSI example, an RA would be audited 
against ETSI EN 319 411-1 by listing the most of the requirements of 319 
401 and the relevant sections of 411-1 for RA operations. This scope 
would be clearly indicated in the attestation letter, allowing the CA to 
have an independent auditor's opinion of the RA operations of a 
delegated third party.

I believe WebTrust for RAs has made a great job of defining the relevant 
criteria and separating them in a different document. ETSI has done 
something similar by identifying "service components" in EN 319 411-1 
(OVR, REG, REV, DIS, and so on).


Dimitris.

On 18/6/2019 8:51 μ.μ., Ryan Sleevi via Public wrote:
>
>
> On Tue, Jun 18, 2019 at 1:35 PM Jeremy Rowley via Public 
> <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>
>     I think I heard the WebTrust auditors say last week that they have
>     finished or nearly finished the WebTrust for RAs criteria. The
>     language from Section 8.4 of the guidelines reads:
>
>     “For Delegated Third Parties which are not Enterprise RAs,, then
>     the CA SHALL obtain an audit report, issued under the auditing
>     standards that underlie the accepted audit schemes found in
>     Section 8.1, that provides an opinion whether the Delegated Third
>     Party’s performance complies with either the Delegated Third
>     Party’s practice statement or the CA’s Certificate Policy and/or
>     Certification Practice Statement. If the opinion is that the
>     Delegated Third Party does not comply, then the CA SHALL not allow
>     the Delegated Third Party to continue performing delegated functions.”
>
>     We know some CAs use RAs that are not audited under WebTrust/ETSI
>     because “there is no appropriate audit standard”. Now that there
>     is an audit standards, it seems to me this criteria goes into
>     effect immediately and any RA not audited would cause the CA to be
>     out of compliance with the BRs. No additional ballot required
>     since the concept is already baked into the BRs.
>
>     Anyone have a different interpretation?  If not, when is the exact
>     date that the audits should be done? Already?
>
>
> TL;DR: Don't worry. I don't think there's an impending doom date.
>
> Officially, Chrome is not planning to immediately enforce the WebTrust 
> for RAs audit, and is still evaluating the most effective means to use 
> and consume this.
>
> For best results, however, don't use RAs ;)
>
> Here's the alternative interpretation I'll over you:
>
> The "auditing standards that underlie the accepted audit criteria" 
> are, in the case of WebTrust, are SSAE 18 (US), CSAE 3000 - 3001 (CA), 
> and ISAE 3000 (elsewhere), with potentially jurisidiction-specific 
> (self-?)regulatory requirements or modifications, similar to the US/CA 
> harmonization with IFAC.
>
> The "auditing standards that underlie the accepted audit criteria" 
> are, for ETSI EN 319 411-1 and ETSI EN 319 403, either (depending on 
> your perspective of "standard"), going to be seen as:
>   a) ETSI EN 319 411-1 / ETSI EN 319 403
>   b) ISO/IEC 17065
>
> The former takes the view that the ETSI ESI documents are themselves 
> the standards for auditing, in that they define a set of standards 
> appropriate for "an" audit scheme, although absent the eIDAS 
> Regulation lacks any normative guidance about who the defining 
> authority is for the appropriate auditor (compared to IFAC and its 
> constituent organizations, which does).
>
> The latter takes the view that the ETSI ESI documents are themselves 
> adopted from the ISO/IEC standards and guidance on the development of 
> certification schemes (which covers a broad scheme of activities), and 
> that any scheme derived from the principles of 17065 is suitably 
> empowered. It, similarly, lacks the guidance as to who can perform the 
> assessments, since that is the role of the scheme operator (e.g. EU in 
> the case of eIDAS)
>
> The "nice" thing about these interpretations is that for CAs that are 
> concerned about being beyond reproach, but still make the 
> (unfortunate) choice to make use of delegated third parties, they can 
> read these requirements as using the relevant criteria from WebTrust 
> or ETSI, under the existing supervisory scheme, and argue compliance. 
> CAs that don't like to/don't want to know what their RAs are doing, 
> and aren't as concerned about security, could reasonably argue that 
> the applicability of the underlying standard means the CA defines what 
> the expectations are (for example, an "Agreed Upon Procedures" report 
> - which I'm sure Don and Jeff will jump in mentioning the CSAE 
> limitations there), and then allow 'anyone' to perform that audit, 
> modulo the IFAC standards with respect to professional licensure.
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20190618/15107506/attachment-0003.html>

More information about the Public mailing list