[Smcwg-public] Audit Schem of a S/MIME CA
陳立群
realsky at cht.com.tw
Wed Oct 21 18:17:57 MST 2020
if we setup a new intermediate S/MIME CA chains up to our Root with EKU such
as Secured Email, Client Authentication, Server Authentication. The S/MIME
CA’s CA certificate and EE Certificates will contain an
id-kp-emailProtection and Client authentication Extended Key Usage (EKU)
extension. From RFC 5280, this CA will not has the ability to issue SSL/TLS
certs. Besides Web Trust for CA , will this new intermediate S/MIME CA need
to pass the Principles 4 of WebTurst for CA-SSL BR with Network Security
Audit (It corresponds to NETWORK AND CERTIFICATE SYSTEMSECURITY REQUIREMENTS
)? For Google or Mozilla, they use EKU Chaining and from Mozilla policy
3.1.2.1, the new intermediate S/MIME CA need not pass the Principles 4 of
WebTurst for CA-SSL BR with Network Security Audit . But It is not clear in
Apple’s Root Program Policy. Does CISCO support S/MIME trust bit/EKU?
But from Page 1 of these Network and Certificate System Security
Requirements (Requirements) , it said “it apply to all publicly trusted
Certification Authorities (CAs). Or Network and Certificate System Security
Requirements (Requirements) only apples to SSL CA. Principles 4 of WebTurst
for CA-SSL BR with Network Security Audit only applies to an intermediate CA
with CA certificates that contained anyEKU or without EKU but those
intermediate CA doesn’t issue SSL/TLS certificates.
Li-Chun Chen
From: Jeff Ward <jward at bdo.com>
Sent: Sunday, August 23, 2020 4:59 AM
To: 陳立群 <realsky at cht.com.tw>; 'SMIME Certificate Working Group'
<smcwg-public at cabforum.org>
Subject: [外部郵件] Re: [Smcwg-public] Audit Schem of a S/MIME CA
If the CA either issues or has the ability to issue SSL/TLS certs, baseline
requirements apply.
Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH
National Managing Partner Third Party Attestation
(SOC/WebTrust/Cybersecurity)
314-889-1220 (Direct) 347-1220 (Internal)
jward at bdo.com <mailto:jward at bdo.com>
BDO
101 S Hanley Rd, #800
St. Louis, MO 63105
UNITED STATES
314-889-1100
www.bdo.com <http://www.bdo.com>
Please consider the environment before printing this e-mail
_____
From: 陳立群 <realsky at cht.com.tw <mailto:realsky at cht.com.tw> >
Sent: Friday, August 21, 2020 6:59 AM
To: Jeff Ward <jward at bdo.com <mailto:jward at bdo.com> >; 'SMIME Certificate
Working Group' <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org>
>
Subject: RE: [Smcwg-public] Audit Schem of a S/MIME CA
Attention: This email was sent from someone outside of BDO USA. Always use
caution when opening attachments or clicking links from unknown senders or
when receiving unexpected emails.
Dear Jeff,
Thank you very much for your information.
In the example diagram, issuing CA 2 would need to receive a Webtrust
for CA based on Microsoft Audit Requirements of Microsoft Trusted Root
Certificate Program. Issuing CA 2 need not to receive the Network Security
Requirements (Principle 4). Right?
https://docs.microsoft.com/en-us/security/trusted-root/audit-requirements
<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.micr
osoft.com%2Fen-us%2Fsecurity%2Ftrusted-root%2Faudit-requirements&data=02%7C0
1%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091d
a7d2dc8543e3c%7C0%7C1%7C637336079934723710&sdata=bjuQGRuH%2F2ZpSoMCd5QS5SE4o
1kiw3GkM4VqhsdZ9QA%3D&reserved=0>
It is not clear about audit scheme for S/MIME CA from Apple’s root
program webpage https://www.apple.com/certificateauthority/ca_program.html
<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.apple
.com%2Fcertificateauthority%2Fca_program.html&data=02%7C01%7Cjward%40bdo.com
%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7
C1%7C637336079934733666&sdata=5i%2BqhxM2B%2BbS3jTlJ6GoQWCW93cEt3ZpjqtBaJUbYr
M%3D&reserved=0> and Chrome’s Root Certificate Policy
https://sites.google.com/a/chromium.org/dev/Home/chromium-security/root-ca-p
olicy
<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsites.goo
gle.com%2Fa%2Fchromium.org%2Fdev%2FHome%2Fchromium-security%2Froot-ca-policy
&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1
a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934733666&sdata=D50EiEdUS5ZasG3
Feo%2BBCMMb2Aqg0E3noyQ%2F0GettuU%3D&reserved=0> .
Li-Chun Chen
Chunghwa Telecom
From: Jeff Ward <jward at bdo.com <mailto:jward at bdo.com> >
Sent: Thursday, August 20, 2020 10:26 PM
To: 陳立群 <realsky at cht.com.tw <mailto:realsky at cht.com.tw> >; SMIME
Certificate Working Group <smcwg-public at cabforum.org
<mailto:smcwg-public at cabforum.org> >
Subject: [外部郵件] RE: [Smcwg-public] Audit Schem of a S/MIME CA
In the example diagram, Issuing CA 2 would need to receive a WebTrust for CA
based on Mozilla policy 3.1.2.1.
Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH
National Managing Partner Third Party Attestation
(SOC/WebTrust/Cybersecurity)
314-889-1220 (Direct) 347-1220 (Internal)
314-387-0189 (Mobile)
<mailto:jward at bdo.com> jward at bdo.com
BDO
101 S Hanley Rd, Suite 800
St. Louis, MO 63105
UNITED STATES
314-889-1100
<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bdo.co
m%2F&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e5
7fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934743624&sdata=MaTayfWwLCr
e5tMap0dIGLHxGqbD8zfoRZ3uc6kbNAI%3D&reserved=0> www.bdo.com
<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffileexcha
nge.bdo.com%2F&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9
b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934743624&sdata=o
C%2FLdDf2lY4unYWC5E4j29wuO%2Br334l8iuqBISNMitM%3D&reserved=0> BDO File
Exchange (secure file sharing)
Please consider the environment before printing this e-mail
<https://www.bdo.com/resource-centers/understanding-the-business-impacts-of-
covid-19>
From: Smcwg-public <smcwg-public-bounces at cabforum.org
<mailto:smcwg-public-bounces at cabforum.org> > On Behalf Of ??? via
Smcwg-public
Sent: Wednesday, August 19, 2020 9:29 PM
To: 'SMIME Certificate Working Group' <smcwg-public at cabforum.org
<mailto:smcwg-public at cabforum.org> >
Subject: Re: [Smcwg-public] Audit Schem of a S/MIME CA
Attention: This email was sent from someone outside of BDO USA. Always use
caution when opening attachments or clicking links from unknown senders or
when receiving unexpected emails.
There are some typo in previous e-mail, such as “audit schema” should be
“audit scheme”, “I wonder to know certificate consumers member and CPA
Canada’s opinion.” should be “I wonder to know certificate consumers
members’ and CPA Canada WebTrust Task Force’s opinion.”
Thanks.
Li-Chun
From: Smcwg-public <smcwg-public-bounces at cabforum.org
<mailto:smcwg-public-bounces at cabforum.org> > On Behalf Of 陳立群 via
Smcwg-public
Sent: Thursday, August 20, 2020 8:59 AM
To: 'SMIME Certificate Working Group' <smcwg-public at cabforum.org
<mailto:smcwg-public at cabforum.org> >
Subject: [外部郵件] [Smcwg-public] Audit Schem of a S/MIME CA
I wonder the audit schema of an issuing CA issue S/MIME certificate as the
issuing CA 2 (S/MIME Certificates) in upper diagram of page 10 of WebTrust
for CA 2.2
(https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/w
ebtrust/webtrust-for-ca-22.pdf?la=en
<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpaca
nada.ca%2F-%2Fmedia%2Fsite%2Foperational%2Fms-member-services%2Fdocs%2Fwebtr
ust%2Fwebtrust-for-ca-22.pdf%3Fla%3Den%26hash%3D76D4C1F8363D563CE7FC09031E54
ACA2EBFE3E3A&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b5
64%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934753587&sdata=0t3
UaDinP2W%2Blgg3dMVsUFNR1RTpmRgE8VbprzsaAeI%3D&reserved=0>
&hash=76D4C1F8363D563CE7FC09031E54ACA2EBFE3E3A) .
>From the WebTrust for Certification Authorities - Audit Applicability Matrix
(https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-ass
urance/overview-of-webtrust-services/principles-and-criteria <https://nam05.
safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpacanada.ca%2Fen%2F
business-and-accounting-resources%2Faudit-and-assurance%2Foverview-of-webtru
st-services%2Fprinciples-and-criteria&data=02%7C01%7Cjward%40bdo.com%7C685fa
1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637
336079934753587&sdata=L5nxmlULugRu7zT7nR1j7gkNyxUA%2F6AAH9bcAy%2FR5SI%3D&res
erved=0> ) or as attached file, this issuing CA2 (S/MIME Certificates)
belong to “Publicly-Trusted Commercial PKI - All other uses” or
“Publicly-Trusted Government PKI - All other uses” , so the audit scheme
should be RKGC, Key Protection and WebTrust.
But someone may argue as the Root CA in upper diagram of page 10 of WebTrust
for CA 2.2 has website and e-mail trust bits. The issuing CA 2 (S/MIME
Certificates should pass WebTurst for CA-SSL BR with Network Security Audit
Criteria Principles 4. I see
<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpaca
nada.ca%2F-%2Fmedia%2Fsite%2Foperational%2Fms-member-services%2Fdocs%2Fwebtr
ust%2Fwtbr-241-final--ssl-baseline-with-network-security-june-30-2019.pdf%3F
la%3Den%26hash%3D15117D0B4FB70FB113C7D1D88802A26FE820FB60&data=02%7C01%7Cjwa
rd%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8
543e3c%7C0%7C1%7C637336079934763536&sdata=PaOioIzEeszSLf2OPeRav4HjhbIfeVegL%
2BoOadBSmmY%3D&reserved=0> WebTrust Principles and Criteria for
Certification Authorities – SSL Baseline with Network Security – Version
2.4.1 page 3. It said that “However, the Network Security Requirements
(Principle 4) would apply to all CAs – Root CA, CA 1, CA 2, CA 3, and CA
4.”. Note that CA-3 is a S/MIME CA.
I wonder to know certificate consumers member and CPA Canada’s opinion.
Thanks.
Li-Chun Chen
Chunghwa Telecom
本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利
用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密
及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共
同善盡資訊安全與個資保護責任.
Please be advised that this email message (including any attachments)
contains confidential information and may be legally privileged. If you are
not the intended recipient, please destroy this message and all attachments
from your system and do not further collect, process, or use them. Chunghwa
Telecom and all its subsidiaries and associated companies shall not be
liable for the improper or incomplete transmission of the information
contained in this email nor for any delay in its receipt or damage to your
system. If you are the intended recipient, please protect the confidential
and/or personal information contained in this email with due care. Any
unauthorized use, disclosure or distribution of this message in whole or in
part is strictly prohibited. Also, please self-inspect attachments and
hyperlinks contained in this email to ensure the information security and to
protect personal information.
本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利
用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密
及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共
同善盡資訊安全與個資保護責任.
Please be advised that this email message (including any attachments)
contains confidential information and may be legally privileged. If you are
not the intended recipient, please destroy this message and all attachments
from your system and do not further collect, process, or use them. Chunghwa
Telecom and all its subsidiaries and associated companies shall not be
liable for the improper or incomplete transmission of the information
contained in this email nor for any delay in its receipt or damage to your
system. If you are the intended recipient, please protect the confidential
and/or personal information contained in this email with due care. Any
unauthorized use, disclosure or distribution of this message in whole or in
part is strictly prohibited. Also, please self-inspect attachments and
hyperlinks contained in this email to ensure the information security and to
protect personal information.
The health and safety of our people and communities is our top priority, as
we all do our part to help stop the spread of COVID-19. All BDO USA offices
will be closed until further notice. While we will be working from home, our
already-flexible work environment enables us to make this transition
seamlessly and we have the technology in place to continue to provide the
same excellent level of service our clients are accustomed to. We are here
if you need us, just as before, and if we can be helpful as you navigate the
uncertainty, we stand ready.
BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member
of BDO International Limited, a UK company limited by guarantee, and forms
part of the international BDO network of independent member firms.
BDO is the brand name for the BDO network and for each of the BDO Member
Firms.
IMPORTANT NOTICES
The contents of this email and any attachments to it may contain privileged
and confidential information from BDO USA, LLP. This information is only for
the viewing or use of the intended recipient. If you are not the intended
recipient, you are hereby notified that any disclosure, copying,
distribution or use of, or the taking of any action in reliance upon, the
information contained in this e-mail, or any of the attachments to this
e-mail, is strictly prohibited and that this e-mail and all of the
attachments to this e-mail, if any, must be immediately returned to BDO USA,
LLP or destroyed and, in either case, this e-mail and all attachments to
this e-mail must be immediately deleted from your computer without making
any copies hereof. If you have received this e-mail in error, please notify
BDO USA, LLP by e-mail immediately.
本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利
用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密
及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共
同善盡資訊安全與個資保護責任.
Please be advised that this email message (including any attachments)
contains confidential information and may be legally privileged. If you are
not the intended recipient, please destroy this message and all attachments
from your system and do not further collect, process, or use them. Chunghwa
Telecom and all its subsidiaries and associated companies shall not be
liable for the improper or incomplete transmission of the information
contained in this email nor for any delay in its receipt or damage to your
system. If you are the intended recipient, please protect the confidential
and/or personal information contained in this email with due care. Any
unauthorized use, disclosure or distribution of this message in whole or in
part is strictly prohibited. Also, please self-inspect attachments and
hyperlinks contained in this email to ensure the information security and to
protect personal information.
The health and safety of our people and communities is our top priority, as
we all do our part to help stop the spread of COVID-19. All BDO USA offices
will be closed until further notice. While we will be working from home, our
already-flexible work environment enables us to make this transition
seamlessly and we have the technology in place to continue to provide the
same excellent level of service our clients are accustomed to. We are here
if you need us, just as before, and if we can be helpful as you navigate the
uncertainty, we stand ready.
BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member
of BDO International Limited, a UK company limited by guarantee, and forms
part of the international BDO network of independent member firms.
BDO is the brand name for the BDO network and for each of the BDO Member
Firms.
IMPORTANT NOTICES
The contents of this email and any attachments to it may contain privileged
and confidential information from BDO USA, LLP. This information is only for
the viewing or use of the intended recipient. If you are not the intended
recipient, you are hereby notified that any disclosure, copying,
distribution or use of, or the taking of any action in reliance upon, the
information contained in this e-mail, or any of the attachments to this
e-mail, is strictly prohibited and that this e-mail and all of the
attachments to this e-mail, if any, must be immediately returned to BDO USA,
LLP or destroyed and, in either case, this e-mail and all attachments to
this e-mail must be immediately deleted from your computer without making
any copies hereof. If you have received this e-mail in error, please notify
BDO USA, LLP by e-mail immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201022/64a4a653/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 427 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201022/64a4a653/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 50894 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201022/64a4a653/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 59913 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201022/64a4a653/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8814 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201022/64a4a653/attachment-0001.p7s>
More information about the Smcwg-public
mailing list