[Smcwg-public] Audit Schem of a S/MIME CA

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Wed Oct 21 23:45:05 MST 2020 

Li-Chun,

The applicable audit requirements for S/MIME Issuing CAs are described 
in the various Root Program sites. Check out the following for Mozilla 
and Microsoft:

  * https://github.com/mozilla/pkipolicy/blob/2.7/rootstore/policy.md#312-required-audits
  * https://docs.microsoft.com/en-us/security/trusted-root/audit-requirements#a-webtrust-audits

Hope this helps.


Dimitris.

On 2020-10-22 4:17 π.μ., 陳立群 via Smcwg-public wrote:
>
> if we setup a new intermediate S/MIME CA chains up to our Root with 
> EKU such as Secured Email, Client Authentication, Server 
> Authentication. The S/MIME CA’s CA certificate and EE Certificates 
> will contain an id-kp-emailProtection and Client authentication 
> Extended Key Usage (EKU) extension. From RFC 5280, this CA will not 
> has the ability to issue SSL/TLS certs.  Besides Web Trust for CA , 
> will this new intermediate S/MIME CA need to pass the Principles 4 of 
> WebTurst for CA-SSL BR with Network Security Audit (It corresponds to 
> NETWORK AND CERTIFICATE SYSTEMSECURITY REQUIREMENTS )?  For Google or 
> Mozilla, they use EKU Chaining and from Mozillapolicy 3.1.2.1,  the 
> new intermediate S/MIME CAneed not  pass the Principles 4 of WebTurst 
> for CA-SSL BR with Network Security Audit . But It is not clear in 
> Apple’s Root Program Policy. Does CISCO support S/MIME trust bit/EKU?
> But from Page 1 of these Network and Certificate System Security 
> Requirements (Requirements) , it said “it apply to all publicly 
> trusted Certification Authorities (CAs). Or Network and Certificate 
> System Security Requirements (Requirements) only apples to SSL CA. 
> Principles 4 of WebTurst for CA-SSL BR with Network Security Audit 
> only applies to an intermediate CA with CA certificates that contained 
> anyEKU or without EKU but those intermediate CA doesn’t issue SSL/TLS 
> certificates.
>
>  Li-Chun Chen
>
> *From:*Jeff Ward <jward at bdo.com>
> *Sent:* Sunday, August 23, 2020 4:59 AM
> *To:* 陳立群<realsky at cht.com.tw>; 'SMIME Certificate Working Group' 
> <smcwg-public at cabforum.org>
> *Subject:* [外部郵件] Re: [Smcwg-public] Audit Schem of a S/MIME CA
>
> If the CA either issues or has the ability to issue SSL/TLS certs, 
> baseline requirements apply.
>
> *Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH*
>
> National Managing Partner Third Party Attestation
>
> (SOC/WebTrust/Cybersecurity)
>
> 314-889-1220(Direct) 347-1220 (Internal)
>
> jward at bdo.com <mailto:jward at bdo.com>
>
> *BDO*
>
> 101 S Hanley Rd, #800
>
> St. Louis, MO 63105
>
> UNITED STATES
>
> 314-889-1100
>
> www.bdo.com <http://www.bdo.com>
>
> Please consider the environment before printing this e-mail
>
> ------------------------------------------------------------------------
>
> *From:*陳立群<realsky at cht.com.tw <mailto:realsky at cht.com.tw>>
> *Sent:* Friday, August 21, 2020 6:59 AM
> *To:* Jeff Ward <jward at bdo.com <mailto:jward at bdo.com>>; 'SMIME 
> Certificate Working Group' <smcwg-public at cabforum.org 
> <mailto:smcwg-public at cabforum.org>>
> *Subject:* RE: [Smcwg-public] Audit Schem of a S/MIME CA
>
> Attention: This email was sent from someone outside of BDO USA. Always 
> use caution when opening attachments or clicking links from unknown 
> senders or when receiving unexpected emails.
>
> Dear Jeff,
>
>       Thank you very much for your information.
>
>       In the example diagram, issuing CA 2 would need to receive a 
> Webtrust for CA based on Microsoft Audit Requirements of Microsoft 
> Trusted Root Certificate Program. Issuing CA 2 need not to receive the 
> Network Security Requirements (Principle 4). Right?
>
> https://docs.microsoft.com/en-us/security/trusted-root/audit-requirements 
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsecurity%2Ftrusted-root%2Faudit-requirements&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934723710&sdata=bjuQGRuH%2F2ZpSoMCd5QS5SE4o1kiw3GkM4VqhsdZ9QA%3D&reserved=0>
>
>       It is not clear about audit scheme for S/MIME CA from Apple’s 
> root program webpage 
> https://www.apple.com/certificateauthority/ca_program.html 
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.apple.com%2Fcertificateauthority%2Fca_program.html&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934733666&sdata=5i%2BqhxM2B%2BbS3jTlJ6GoQWCW93cEt3ZpjqtBaJUbYrM%3D&reserved=0> 
> and Chrome’s Root Certificate Policy 
> https://sites.google.com/a/chromium.org/dev/Home/chromium-security/root-ca-policy 
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsites.google.com%2Fa%2Fchromium.org%2Fdev%2FHome%2Fchromium-security%2Froot-ca-policy&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934733666&sdata=D50EiEdUS5ZasG3Feo%2BBCMMb2Aqg0E3noyQ%2F0GettuU%3D&reserved=0> 
> .
>
>      Li-Chun Chen
>
>      Chunghwa Telecom
>
> *From:*Jeff Ward <jward at bdo.com <mailto:jward at bdo.com>>
> *Sent:* Thursday, August 20, 2020 10:26 PM
> *To:* 陳立群<realsky at cht.com.tw <mailto:realsky at cht.com.tw>>; SMIME 
> Certificate Working Group <smcwg-public at cabforum.org 
> <mailto:smcwg-public at cabforum.org>>
> *Subject:* [外部郵件] RE: [Smcwg-public] Audit Schem of a S/MIME CA
>
> In the example diagram, Issuing CA 2 would need to receive a WebTrust 
> for CA based on Mozilla policy 3.1.2.1.
>
> *Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH*
> National Managing Partner Third Party Attestation 
> (SOC/WebTrust/Cybersecurity)
> 314-889-1220 (Direct)    347-1220 (Internal)
> 314-387-0189 (Mobile)
> jward at bdo.com <mailto:jward at bdo.com>
>
> *BDO*
> 101 S Hanley Rd, Suite 800
> St. Louis, MO 63105
> UNITED STATES
> 314-889-1100
> _www.bdo.com 
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bdo.com%2F&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934743624&sdata=MaTayfWwLCre5tMap0dIGLHxGqbD8zfoRZ3uc6kbNAI%3D&reserved=0>_
>
> _BDO File Exchange (secure file sharing) 
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffileexchange.bdo.com%2F&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934743624&sdata=oC%2FLdDf2lY4unYWC5E4j29wuO%2Br334l8iuqBISNMitM%3D&reserved=0>_
>
> /Please consider the environment before printing this e-mail/
>
> covid-19 
> <https://www.bdo.com/resource-centers/understanding-the-business-impacts-of-covid-19>
>
> *From:*Smcwg-public <smcwg-public-bounces at cabforum.org 
> <mailto:smcwg-public-bounces at cabforum.org>> *On Behalf Of *??? via 
> Smcwg-public
> *Sent:* Wednesday, August 19, 2020 9:29 PM
> *To:* 'SMIME Certificate Working Group' <smcwg-public at cabforum.org 
> <mailto:smcwg-public at cabforum.org>>
> *Subject:* Re: [Smcwg-public] Audit Schem of a S/MIME CA
>
> Attention: This email was sent from someone outside of BDO USA. Always 
> use caution when opening attachments or clicking links from unknown 
> senders or when receiving unexpected emails.
>
> There are some typo in previous e-mail, such as “audit schema”should 
> be “audit scheme”, “I wonder to know certificate consumers member and 
> CPA Canada’s opinion.”should be “I wonder to know certificate 
> consumers members’and CPA Canada WebTrust  Task Force’s opinion.”
>
> Thanks.
>
>        Li-Chun
>
> *From:*Smcwg-public <smcwg-public-bounces at cabforum.org 
> <mailto:smcwg-public-bounces at cabforum.org>> *On Behalf Of *陳立群via 
> Smcwg-public
> *Sent:* Thursday, August 20, 2020 8:59 AM
> *To:* 'SMIME Certificate Working Group' <smcwg-public at cabforum.org 
> <mailto:smcwg-public at cabforum.org>>
> *Subject:* [外部郵件] [Smcwg-public] Audit Schem of a S/MIME CA
>
> I wonder the audit schema of an issuing CA issue S/MIME certificate as 
> the issuing CA 2 (S/MIME Certificates) in upper diagram of page 10 of 
> WebTrust for CA 
> 2.2(https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/webtrust-for-ca-22.pdf?la=en&hash=76D4C1F8363D563CE7FC09031E54ACA2EBFE3E3A 
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpacanada.ca%2F-%2Fmedia%2Fsite%2Foperational%2Fms-member-services%2Fdocs%2Fwebtrust%2Fwebtrust-for-ca-22.pdf%3Fla%3Den%26hash%3D76D4C1F8363D563CE7FC09031E54ACA2EBFE3E3A&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934753587&sdata=0t3UaDinP2W%2Blgg3dMVsUFNR1RTpmRgE8VbprzsaAeI%3D&reserved=0>) 
> .
>
> From the WebTrust for Certification Authorities - Audit Applicability 
> Matrix(https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria 
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpacanada.ca%2Fen%2Fbusiness-and-accounting-resources%2Faudit-and-assurance%2Foverview-of-webtrust-services%2Fprinciples-and-criteria&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934753587&sdata=L5nxmlULugRu7zT7nR1j7gkNyxUA%2F6AAH9bcAy%2FR5SI%3D&reserved=0> 
> ) or as attached file, this issuing CA2  (S/MIME Certificates) belong 
> to “Publicly-Trusted Commercial PKI - All other uses”or 
> “Publicly-Trusted Government PKI - All other uses”, so the audit 
> scheme should be RKGC, Key Protection and WebTrust.
>
> But someone may argue as the Root CA in upper diagram of page 10 of 
> WebTrust for CA 2.2 has website and e-mail trust bits. The issuing CA 
> 2 (S/MIME Certificates should pass WebTurst for CA-SSL BR with Network 
> Security Audit Criteria Principles 4.  I see WebTrust Principles and 
> Criteria for Certification Authorities – SSL Baseline with Network 
> Security – Version 2.4.1 
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpacanada.ca%2F-%2Fmedia%2Fsite%2Foperational%2Fms-member-services%2Fdocs%2Fwebtrust%2Fwtbr-241-final--ssl-baseline-with-network-security-june-30-2019.pdf%3Fla%3Den%26hash%3D15117D0B4FB70FB113C7D1D88802A26FE820FB60&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934763536&sdata=PaOioIzEeszSLf2OPeRav4HjhbIfeVegL%2BoOadBSmmY%3D&reserved=0> 
> page 3. It said that “However, the Network Security Requirements 
> (Principle 4) would apply to all CAs –Root CA, CA 1, CA 2, CA 3, and 
> CA 4.”. Note that CA-3 is a S/MIME CA.
>
>     I wonder to know certificate consumers member and CPA Canada’s 
> opinion.
>
>     Thanks.
>
> Li-Chun Chen
>
>           Chunghwa Telecom
>
> 本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 
> 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. 
>
>
> Please be advised that this email message (including any attachments) 
> contains confidential information and may be legally privileged. If 
> you are not the intended recipient, please destroy this message and 
> all attachments from your system and do not further collect, process, 
> or use them. Chunghwa Telecom and all its subsidiaries and associated 
> companies shall not be liable for the improper or incomplete 
> transmission of the information contained in this email nor for any 
> delay in its receipt or damage to your system. If you are the intended 
> recipient, please protect the confidential and/or personal information 
> contained in this email with due care. Any unauthorized use, 
> disclosure or distribution of this message in whole or in part is 
> strictly prohibited. Also, please self-inspect attachments and 
> hyperlinks contained in this email to ensure the information security 
> and to protect personal information.
>
> 本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 
> 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. 
>
>
> Please be advised that this email message (including any attachments) 
> contains confidential information and may be legally privileged. If 
> you are not the intended recipient, please destroy this message and 
> all attachments from your system and do not further collect, process, 
> or use them. Chunghwa Telecom and all its subsidiaries and associated 
> companies shall not be liable for the improper or incomplete 
> transmission of the information contained in this email nor for any 
> delay in its receipt or damage to your system. If you are the intended 
> recipient, please protect the confidential and/or personal information 
> contained in this email with due care. Any unauthorized use, 
> disclosure or distribution of this message in whole or in part is 
> strictly prohibited. Also, please self-inspect attachments and 
> hyperlinks contained in this email to ensure the information security 
> and to protect personal information.
>
>
>
> /*The health and safety of our people and communities is our top 
> priority, as we all do our part to help stop the spread of COVID-19. 
> All BDO USA offices will be closed until further notice. While we will 
> be working from home, our already-flexible work environment enables us 
> to make this transition seamlessly and we have the technology in place 
> to continue to provide the same excellent level of service our clients 
> are accustomed to. We are here if you need us, just as before, and if 
> we can be helpful as you navigate the uncertainty, we stand ready. */*/
>
> /*/*BDO USA, LLP, a Delaware limited liability partnership, is the 
> U.S. member of BDO International Limited, a UK company limited by 
> guarantee, and forms part of the international BDO network of 
> independent member firms. */*/
>
> /*/*BDO is the brand name for the BDO network and for each of the BDO 
> Member Firms.*/*/
>
> /*/*IMPORTANT NOTICES*/*/
>
> /*/*The contents of this email and any attachments to it may contain 
> privileged and confidential information from BDO USA, LLP. This 
> information is only for the viewing or use of the intended recipient. 
> If you are not the intended recipient, you are hereby notified that 
> any disclosure, copying, distribution or use of, or the taking of any 
> action in reliance upon, the information contained in this e-mail, or 
> any of the attachments to this e-mail, is strictly prohibited and that 
> this e-mail and all of the attachments to this e-mail, if any, must be 
> immediately returned to BDO USA, LLP or destroyed and, in either case, 
> this e-mail and all attachments to this e-mail must be immediately 
> deleted from your computer without making any copies hereof. If you 
> have received this e-mail in error, please notify BDO USA, LLP by 
> e-mail immediately.*/
>
> 本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 
> 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. 
>
>
> Please be advised that this email message (including any attachments) 
> contains confidential information and may be legally privileged. If 
> you are not the intended recipient, please destroy this message and 
> all attachments from your system and do not further collect, process, 
> or use them. Chunghwa Telecom and all its subsidiaries and associated 
> companies shall not be liable for the improper or incomplete 
> transmission of the information contained in this email nor for any 
> delay in its receipt or damage to your system. If you are the intended 
> recipient, please protect the confidential and/or personal information 
> contained in this email with due care. Any unauthorized use, 
> disclosure or distribution of this message in whole or in part is 
> strictly prohibited. Also, please self-inspect attachments and 
> hyperlinks contained in this email to ensure the information security 
> and to protect personal information.
>
>
>
> /*The health and safety of our people and communities is our top 
> priority, as we all do our part to help stop the spread of COVID-19. 
> All BDO USA offices will be closed until further notice. While we will 
> be working from home, our already-flexible work environment enables us 
> to make this transition seamlessly and we have the technology in place 
> to continue to provide the same excellent level of service our clients 
> are accustomed to. We are here if you need us, just as before, and if 
> we can be helpful as you navigate the uncertainty, we stand ready. */*/
>
> /BDO USA, LLP, a Delaware limited liability partnership, is the U.S. 
> member of BDO International Limited, a UK company limited by 
> guarantee, and forms part of the international BDO network of 
> independent member firms. /
>
> /BDO is the brand name for the BDO network and for each of the BDO 
> Member Firms./
>
> /IMPORTANT NOTICES/
>
> /The contents of this email and any attachments to it may contain 
> privileged and confidential information from BDO USA, LLP. This 
> information is only for the viewing or use of the intended recipient. 
> If you are not the intended recipient, you are hereby notified that 
> any disclosure, copying, distribution or use of, or the taking of any 
> action in reliance upon, the information contained in this e-mail, or 
> any of the attachments to this e-mail, is strictly prohibited and that 
> this e-mail and all of the attachments to this e-mail, if any, must be 
> immediately returned to BDO USA, LLP or destroyed and, in either case, 
> this e-mail and all attachments to this e-mail must be immediately 
> deleted from your computer without making any copies hereof. If you 
> have received this e-mail in error, please notify BDO USA, LLP by 
> e-mail immediately.//*
>
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201022/3bb183c4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 427 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201022/3bb183c4/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 50894 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201022/3bb183c4/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 59913 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201022/3bb183c4/attachment-0005.png>

More information about the Smcwg-public mailing list