[Smcwg-public] Audit Schem of a S/MIME CA

Jeff Ward jward at bdo.com
Sat Aug 22 13:59:18 MST 2020 

If the CA either issues or has the ability to issue SSL/TLS certs, baseline requirements apply.


Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH

National Managing Partner Third Party Attestation

(SOC/WebTrust/Cybersecurity)

314-889-1220[cid:598755b9-6adf-42cd-b782-f937579844d4] (Direct) 347-1220 (Internal)

jward at bdo.com

BDO

101 S Hanley Rd, #800

St. Louis, MO 63105

UNITED STATES

314-889-1100[cid:f735147e-8c0d-4ddb-815d-8489906b316e]

www.bdo.com

Please consider the environment before printing this e-mail

________________________________
From: 陳立群 <realsky at cht.com.tw>
Sent: Friday, August 21, 2020 6:59 AM
To: Jeff Ward <jward at bdo.com>; 'SMIME Certificate Working Group' <smcwg-public at cabforum.org>
Subject: RE: [Smcwg-public] Audit Schem of a S/MIME CA


Attention: This email was sent from someone outside of BDO USA. Always use caution when opening attachments or clicking links from unknown senders or when receiving unexpected emails.

Dear Jeff,



      Thank you very much for your information.



      In the example diagram, issuing CA 2 would need to receive a Webtrust for CA based on Microsoft Audit Requirements of Microsoft Trusted Root Certificate Program. Issuing CA 2 need not to receive the Network Security Requirements (Principle 4). Right?



      https://docs.microsoft.com/en-us/security/trusted-root/audit-requirements<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsecurity%2Ftrusted-root%2Faudit-requirements&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934723710&sdata=bjuQGRuH%2F2ZpSoMCd5QS5SE4o1kiw3GkM4VqhsdZ9QA%3D&reserved=0>



[cid:image002.png at 01D677F4.D81CA5D0]





      It is not clear about audit scheme for S/MIME CA from Apple’s root program webpage https://www.apple.com/certificateauthority/ca_program.html<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.apple.com%2Fcertificateauthority%2Fca_program.html&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934733666&sdata=5i%2BqhxM2B%2BbS3jTlJ6GoQWCW93cEt3ZpjqtBaJUbYrM%3D&reserved=0> and Chrome’s Root Certificate Policy https://sites.google.com/a/chromium.org/dev/Home/chromium-security/root-ca-policy<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsites.google.com%2Fa%2Fchromium.org%2Fdev%2FHome%2Fchromium-security%2Froot-ca-policy&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934733666&sdata=D50EiEdUS5ZasG3Feo%2BBCMMb2Aqg0E3noyQ%2F0GettuU%3D&reserved=0> .





     Li-Chun Chen

     Chunghwa Telecom



From: Jeff Ward <jward at bdo.com>
Sent: Thursday, August 20, 2020 10:26 PM
To: 陳立群 <realsky at cht.com.tw>; SMIME Certificate Working Group <smcwg-public at cabforum.org>
Subject: [外部郵件] RE: [Smcwg-public] Audit Schem of a S/MIME CA



In the example diagram, Issuing CA 2 would need to receive a WebTrust for CA based on Mozilla policy 3.1.2.1.



[cid:image001.png at 01D677F3.9B5B79B0]



Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH
National Managing Partner Third Party Attestation (SOC/WebTrust/Cybersecurity)
314-889-1220 (Direct)    347-1220 (Internal)
314-387-0189 (Mobile)
jward at bdo.com<mailto:jward at bdo.com>

BDO
101 S Hanley Rd, Suite 800
St. Louis, MO 63105
UNITED STATES
314-889-1100
www.bdo.com<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bdo.com%2F&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934743624&sdata=MaTayfWwLCre5tMap0dIGLHxGqbD8zfoRZ3uc6kbNAI%3D&reserved=0>

BDO File Exchange (secure file sharing)<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffileexchange.bdo.com%2F&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934743624&sdata=oC%2FLdDf2lY4unYWC5E4j29wuO%2Br334l8iuqBISNMitM%3D&reserved=0>

Please consider the environment before printing this e-mail

[covid-19]<https://www.bdo.com/resource-centers/understanding-the-business-impacts-of-covid-19>

From: Smcwg-public <smcwg-public-bounces at cabforum.org<mailto:smcwg-public-bounces at cabforum.org>> On Behalf Of ??? via Smcwg-public
Sent: Wednesday, August 19, 2020 9:29 PM
To: 'SMIME Certificate Working Group' <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>>
Subject: Re: [Smcwg-public] Audit Schem of a S/MIME CA



Attention: This email was sent from someone outside of BDO USA. Always use caution when opening attachments or clicking links from unknown senders or when receiving unexpected emails.

There are some typo in previous e-mail, such as  “audit schema” should be “audit scheme”,  “I wonder to know certificate consumers member and CPA Canada’s opinion.” should be  “I wonder to know certificate consumers members’ and CPA Canada WebTrust  Task Force’s opinion.”



Thanks.



       Li-Chun



From: Smcwg-public <smcwg-public-bounces at cabforum.org<mailto:smcwg-public-bounces at cabforum.org>> On Behalf Of 陳立群 via Smcwg-public
Sent: Thursday, August 20, 2020 8:59 AM
To: 'SMIME Certificate Working Group' <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>>
Subject: [外部郵件] [Smcwg-public] Audit Schem of a S/MIME CA



I wonder the audit schema of an issuing CA issue S/MIME certificate as the issuing CA 2 (S/MIME Certificates) in upper diagram of page 10 of WebTrust for CA 2.2 (https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/webtrust-for-ca-22.pdf?la=en&hash=76D4C1F8363D563CE7FC09031E54ACA2EBFE3E3A<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpacanada.ca%2F-%2Fmedia%2Fsite%2Foperational%2Fms-member-services%2Fdocs%2Fwebtrust%2Fwebtrust-for-ca-22.pdf%3Fla%3Den%26hash%3D76D4C1F8363D563CE7FC09031E54ACA2EBFE3E3A&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934753587&sdata=0t3UaDinP2W%2Blgg3dMVsUFNR1RTpmRgE8VbprzsaAeI%3D&reserved=0>) .



From the WebTrust for Certification Authorities - Audit Applicability Matrix (https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpacanada.ca%2Fen%2Fbusiness-and-accounting-resources%2Faudit-and-assurance%2Foverview-of-webtrust-services%2Fprinciples-and-criteria&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934753587&sdata=L5nxmlULugRu7zT7nR1j7gkNyxUA%2F6AAH9bcAy%2FR5SI%3D&reserved=0> ) or as attached file, this issuing CA2  (S/MIME Certificates) belong to “Publicly-Trusted Commercial PKI - All other uses” or  “Publicly-Trusted Government PKI - All other uses” , so the audit scheme should be RKGC, Key Protection and WebTrust.



But someone may argue as the Root CA in upper diagram of page 10 of WebTrust for CA 2.2 has website and e-mail trust bits. The issuing CA 2 (S/MIME Certificates should pass WebTurst for CA-SSL BR with Network Security Audit Criteria Principles 4.  I see WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security – Version 2.4.1<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpacanada.ca%2F-%2Fmedia%2Fsite%2Foperational%2Fms-member-services%2Fdocs%2Fwebtrust%2Fwtbr-241-final--ssl-baseline-with-network-security-june-30-2019.pdf%3Fla%3Den%26hash%3D15117D0B4FB70FB113C7D1D88802A26FE820FB60&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934763536&sdata=PaOioIzEeszSLf2OPeRav4HjhbIfeVegL%2BoOadBSmmY%3D&reserved=0> page 3. It said that  “However, the Network Security Requirements (Principle 4) would apply to all CAs – Root CA, CA 1, CA 2, CA 3, and CA 4.”. Note that CA-3 is a S/MIME CA.



    I wonder to know certificate consumers member and CPA Canada’s opinion.



    Thanks.



          Li-Chun Chen

          Chunghwa Telecom



本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.

Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.







本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.

Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.






The health and safety of our people and communities is our top priority, as we all do our part to help stop the spread of COVID-19. All BDO USA offices will be closed until further notice. While we will be working from home, our already-flexible work environment enables us to make this transition seamlessly and we have the technology in place to continue to provide the same excellent level of service our clients are accustomed to. We are here if you need us, just as before, and if we can be helpful as you navigate the uncertainty, we stand ready.

BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms.

BDO is the brand name for the BDO network and for each of the BDO Member Firms.

IMPORTANT NOTICES

The contents of this email and any attachments to it may contain privileged and confidential information from BDO USA, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO USA, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies hereof. If you have received this e-mail in error, please notify BDO USA, LLP by e-mail immediately.

本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.




The health and safety of our people and communities is our top priority, as we all do our part to help stop the spread of COVID-19. All BDO USA offices will be closed until further notice. While we will be working from home, our already-flexible work environment enables us to make this transition seamlessly and we have the technology in place to continue to provide the same excellent level of service our clients are accustomed to. We are here if you need us, just as before, and if we can be helpful as you navigate the uncertainty, we stand ready.

BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms.

BDO is the brand name for the BDO network and for each of the BDO Member Firms.

IMPORTANT NOTICES

The contents of this email and any attachments to it may contain privileged and confidential information from BDO USA, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO USA, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies hereof. If you have received this e-mail in error, please notify BDO USA, LLP by e-mail immediately.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20200822/ab230346/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 59913 bytes
Desc: image001.png
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20200822/ab230346/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 50894 bytes
Desc: image002.png
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20200822/ab230346/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-chvniivf.png
Type: image/png
Size: 427 bytes
Desc: Outlook-chvniivf.png
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20200822/ab230346/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-pqvlvwwo.png
Type: image/png
Size: 427 bytes
Desc: Outlook-pqvlvwwo.png
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20200822/ab230346/attachment-0007.png>

More information about the Smcwg-public mailing list