[Servercert-wg] Audit Model Proposals

David Kluge kluge at google.com
Tue Aug 17 20:05:32 UTC 2021


The following document is the result of work by the Cloud Services subgroup
as a follow-up to SCWG subgroup discussions during the F2F on Tuesday,
We welcome your comments and suggestions within the next two weeks.

Many CAs now use cloud services to perform data processing, storage, and
distribution operations. The Baseline Requirements and the Network and
Certificate System Security Requirements (NSRs) do not provide much clarity
on how CAs can utilize such services in running parts of their
infrastructure, but as the trend to utilize cloud services continues, there
needs to be an effective source of third-party assurance for each service
provided. A key question in this context is how audits should be performed.

Under the current WebTrust/ETSI audit regimes, browsers rely predominantly
on the CA’s annual audit report(s) to assess the security of CA services.
Our working group has looked at different models by which auditors can
assess the security of the CA using a Cloud Service Provider (CSP). We
would like to ask you for your input on these models to determine which one
is the most suitable. Also, we would appreciate any ideas on alternative
approaches that we might not have thought of.
Best regards,
for the Cloud Services subgroup

Audit Model Proposals

Model 1 – Direct audit: third party controls included in CA audit

The CA’s auditor includes third parties into the CA’s audit report. Control
testing at the third party is performed by the CA’s auditor directly. This
model assumes that the CA has some control over the CSP and that no changes
to the NSRs will be needed.

Model 2 - Indirect audit through the CA’s supplier management process

CAs would be required to formally document their supplier management
processes that includes a review of the CSP’s compliance with applicable
security requirements from the Baseline Requirements and NSRs. Auditors
would then audit the CA based on the documentation collected, and the
effectiveness of the process would be assessed as part of the CA’s annual
WebTrust/ETSI audit (indirect audit). The quality of the assessment process
and audit would be ensured by applying WebTrust/ETSI audit criteria
applicable to the service provided. This option is the most similar to
existing processes used today by businesses with similar data security and
audit requirements, such as financial institutions. For this model, a
supplier-management section would be added to the NSRs.

Additionally, the cloud service subgroup could develop a methodology
defining how this supplier management process must operate, what types of
audits are acceptable, and how to evaluate the quality and applicability of
such indirect audits.

Model 3 - Separate audits for the CA and its cloud service providers

CSPs are audited directly against the relevant security standards. CSPs
would provide their audit reports directly to the browsers. CAs would make
use of CSPs with accepted reports. For this model, the NSRs would be
modified to identify which subset of requirements applies to CSPs.

Alternatively, CSPs could be audited directly against the relevant security
standards and submit their audits to CAs who enclose them in their annual
audit report delivery in the Common CA Database (CCADB).

Model 4 - Separate audits for CSPs with browser-approved auditors

Past discussions have brought up the idea that browsers could audit CSPs
directly or maintain a list of approved CSPs whose products and security
controls are deemed acceptable for the respective CA service.  This model
would give browsers more control over the audit process and could increase
their confidence in the quality of the audit opinion. An approved vendor
list would allow browsers to vet CSPs only once. While the approved CSP
list would reduce the number of CSP reviews (versus the number of CAs
included in root programs), there are a number of problems with this model.
One is that some browsers do not have the resources to perform audits of
this magnitude, and especially not in the required quantity and on an
international level. Another is that CSPs probably do not look forward to
being directly responsible for additional audits from another industry,
especially not for the small number of CAs globally. There are also
concerns about the management and complexity of such a program.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210817/28c8bf84/attachment-0001.html>

More information about the Servercert-wg mailing list