[cabfpub] Audits and RAs
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Tue Jun 18 19:28:17 UTC 2019
I believe we discussed this at the CA/B Forum meeting in Cupertino where
it was explained that an RA can be audited with the existing
ETSI/WebTrust criteria by only listing the necessary criteria relevant
to RA operations. So, for the ETSI example, an RA would be audited
against ETSI EN 319 411-1 by listing the most of the requirements of 319
401 and the relevant sections of 411-1 for RA operations. This scope
would be clearly indicated in the attestation letter, allowing the CA to
have an independent auditor's opinion of the RA operations of a
delegated third party.
I believe WebTrust for RAs has made a great job of defining the relevant
criteria and separating them in a different document. ETSI has done
something similar by identifying "service components" in EN 319 411-1
(OVR, REG, REV, DIS, and so on).
Dimitris.
On 18/6/2019 8:51 μ.μ., Ryan Sleevi via Public wrote:
>
>
> On Tue, Jun 18, 2019 at 1:35 PM Jeremy Rowley via Public
> <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>
> I think I heard the WebTrust auditors say last week that they have
> finished or nearly finished the WebTrust for RAs criteria. The
> language from Section 8.4 of the guidelines reads:
>
> “For Delegated Third Parties which are not Enterprise RAs,, then
> the CA SHALL obtain an audit report, issued under the auditing
> standards that underlie the accepted audit schemes found in
> Section 8.1, that provides an opinion whether the Delegated Third
> Party’s performance complies with either the Delegated Third
> Party’s practice statement or the CA’s Certificate Policy and/or
> Certification Practice Statement. If the opinion is that the
> Delegated Third Party does not comply, then the CA SHALL not allow
> the Delegated Third Party to continue performing delegated functions.”
>
> We know some CAs use RAs that are not audited under WebTrust/ETSI
> because “there is no appropriate audit standard”. Now that there
> is an audit standards, it seems to me this criteria goes into
> effect immediately and any RA not audited would cause the CA to be
> out of compliance with the BRs. No additional ballot required
> since the concept is already baked into the BRs.
>
> Anyone have a different interpretation? If not, when is the exact
> date that the audits should be done? Already?
>
>
> TL;DR: Don't worry. I don't think there's an impending doom date.
>
> Officially, Chrome is not planning to immediately enforce the WebTrust
> for RAs audit, and is still evaluating the most effective means to use
> and consume this.
>
> For best results, however, don't use RAs ;)
>
> Here's the alternative interpretation I'll over you:
>
> The "auditing standards that underlie the accepted audit criteria"
> are, in the case of WebTrust, are SSAE 18 (US), CSAE 3000 - 3001 (CA),
> and ISAE 3000 (elsewhere), with potentially jurisidiction-specific
> (self-?)regulatory requirements or modifications, similar to the US/CA
> harmonization with IFAC.
>
> The "auditing standards that underlie the accepted audit criteria"
> are, for ETSI EN 319 411-1 and ETSI EN 319 403, either (depending on
> your perspective of "standard"), going to be seen as:
> a) ETSI EN 319 411-1 / ETSI EN 319 403
> b) ISO/IEC 17065
>
> The former takes the view that the ETSI ESI documents are themselves
> the standards for auditing, in that they define a set of standards
> appropriate for "an" audit scheme, although absent the eIDAS
> Regulation lacks any normative guidance about who the defining
> authority is for the appropriate auditor (compared to IFAC and its
> constituent organizations, which does).
>
> The latter takes the view that the ETSI ESI documents are themselves
> adopted from the ISO/IEC standards and guidance on the development of
> certification schemes (which covers a broad scheme of activities), and
> that any scheme derived from the principles of 17065 is suitably
> empowered. It, similarly, lacks the guidance as to who can perform the
> assessments, since that is the role of the scheme operator (e.g. EU in
> the case of eIDAS)
>
> The "nice" thing about these interpretations is that for CAs that are
> concerned about being beyond reproach, but still make the
> (unfortunate) choice to make use of delegated third parties, they can
> read these requirements as using the relevant criteria from WebTrust
> or ETSI, under the existing supervisory scheme, and argue compliance.
> CAs that don't like to/don't want to know what their RAs are doing,
> and aren't as concerned about security, could reasonably argue that
> the applicability of the underlying standard means the CA defines what
> the expectations are (for example, an "Agreed Upon Procedures" report
> - which I'm sure Don and Jeff will jump in mentioning the CSAE
> limitations there), and then allow 'anyone' to perform that audit,
> modulo the IFAC standards with respect to professional licensure.
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20190618/15107506/attachment-0003.html>
More information about the Public
mailing list