[Smcwg-public] Audit Schem of a S/MIME CA

陳立群 realsky at cht.com.tw
Fri Oct 23 03:20:55 MST 2020


Dear Dimitris,

 

      Thank you very much for your two URL that we had ever red . We have ever asked Microsoft Root Program and got the replying.

 

Sincerely Yours,

 

                 Li-Chun 

 

From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Dimitris Zacharopoulos (HARICA) via Smcwg-public
Sent: Thursday, October 22, 2020 2:45 PM
To: smcwg-public at cabforum.org
Subject: [外部郵件] Re: [Smcwg-public] Audit Schem of a S/MIME CA

 


Li-Chun,

The applicable audit requirements for S/MIME Issuing CAs are described in the various Root Program sites. Check out the following for Mozilla and Microsoft:

*	https://github.com/mozilla/pkipolicy/blob/2.7/rootstore/policy.md#312-required-audits
*	https://docs.microsoft.com/en-us/security/trusted-root/audit-requirements#a-webtrust-audits

Hope this helps.


Dimitris.

On 2020-10-22 4:17 π.μ., 陳立群 via Smcwg-public wrote:

 

if we setup a new intermediate S/MIME CA chains up to our Root with EKU such as Secured Email, Client Authentication, Server Authentication. The S/MIME CA’s CA certificate and EE Certificates will contain an id-kp-emailProtection and Client authentication Extended Key Usage (EKU) extension. From RFC 5280, this CA will not has the ability to issue SSL/TLS certs.  Besides Web Trust for CA , will this new intermediate S/MIME CA need to pass the Principles 4 of WebTurst for CA-SSL BR with Network Security Audit (It corresponds to NETWORK AND CERTIFICATE SYSTEMSECURITY REQUIREMENTS )?  For Google or Mozilla, they use EKU Chaining and from Mozilla policy 3.1.2.1,  the new intermediate S/MIME CA need not  pass the Principles 4 of WebTurst for CA-SSL BR with Network Security Audit . But It is not clear in Apple’s Root Program Policy. Does CISCO support S/MIME trust bit/EKU? 
 
But from Page 1 of these Network and Certificate System Security Requirements (Requirements) , it said “it apply to all publicly trusted Certification Authorities (CAs). Or Network and Certificate System Security Requirements (Requirements) only apples to SSL CA. Principles 4 of WebTurst for CA-SSL BR with Network Security Audit only applies to an intermediate CA with CA certificates that contained anyEKU or without EKU but those intermediate CA doesn’t issue SSL/TLS certificates.
 
 

               Li-Chun Chen

               

 

From: Jeff Ward  <mailto:jward at bdo.com> <jward at bdo.com> 
Sent: Sunday, August 23, 2020 4:59 AM
To: 陳立群  <mailto:realsky at cht.com.tw> <realsky at cht.com.tw>; 'SMIME Certificate Working Group'  <mailto:smcwg-public at cabforum.org> <smcwg-public at cabforum.org>
Subject: [外部郵件] Re: [Smcwg-public] Audit Schem of a S/MIME CA

 

If the CA either issues or has the ability to issue SSL/TLS certs, baseline requirements apply.   

 

Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH

National Managing Partner Third Party Attestation

(SOC/WebTrust/Cybersecurity)

314-889-1220 (Direct) 347-1220 (Internal)

jward at bdo.com <mailto:jward at bdo.com>  

BDO

101 S Hanley Rd, #800

St. Louis, MO 63105

UNITED STATES

314-889-1100

www.bdo.com <http://www.bdo.com> 

Please consider the environment before printing this e-mail

 


  _____  


From: 陳立群 <realsky at cht.com.tw <mailto:realsky at cht.com.tw> >
Sent: Friday, August 21, 2020 6:59 AM
To: Jeff Ward <jward at bdo.com <mailto:jward at bdo.com> >; 'SMIME Certificate Working Group' <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> >
Subject: RE: [Smcwg-public] Audit Schem of a S/MIME CA 

 

Attention: This email was sent from someone outside of BDO USA. Always use caution when opening attachments or clicking links from unknown senders or when receiving unexpected emails.

Dear Jeff,

 

      Thank you very much for your information.

 

      In the example diagram, issuing CA 2 would need to receive a Webtrust for CA based on Microsoft Audit Requirements of Microsoft Trusted Root Certificate Program. Issuing CA 2 need not to receive the Network Security Requirements (Principle 4). Right?

 

      https://docs.microsoft.com/en-us/security/trusted-root/audit-requirements <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsecurity%2Ftrusted-root%2Faudit-requirements&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934723710&sdata=bjuQGRuH%2F2ZpSoMCd5QS5SE4o1kiw3GkM4VqhsdZ9QA%3D&reserved=0> 

 



 

 

      It is not clear about audit scheme for S/MIME CA from Apple’s root program webpage https://www.apple.com/certificateauthority/ca_program.html <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.apple.com%2Fcertificateauthority%2Fca_program.html&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934733666&sdata=5i%2BqhxM2B%2BbS3jTlJ6GoQWCW93cEt3ZpjqtBaJUbYrM%3D&reserved=0>  and Chrome’s Root Certificate Policy https://sites.google.com/a/chromium.org/dev/Home/chromium-security/root-ca-policy <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsites.google.com%2Fa%2Fchromium.org%2Fdev%2FHome%2Fchromium-security%2Froot-ca-policy&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934733666&sdata=D50EiEdUS5ZasG3Feo%2BBCMMb2Aqg0E3noyQ%2F0GettuU%3D&reserved=0>  .

 

 

     Li-Chun Chen

     Chunghwa Telecom 

 

From: Jeff Ward <jward at bdo.com <mailto:jward at bdo.com> > 
Sent: Thursday, August 20, 2020 10:26 PM
To: 陳立群 <realsky at cht.com.tw <mailto:realsky at cht.com.tw> >; SMIME Certificate Working Group <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> >
Subject: [外部郵件] RE: [Smcwg-public] Audit Schem of a S/MIME CA

 

In the example diagram, Issuing CA 2 would need to receive a WebTrust for CA based on Mozilla policy 3.1.2.1.  

 



 

Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH
National Managing Partner Third Party Attestation (SOC/WebTrust/Cybersecurity)
314-889-1220 (Direct)    347-1220 (Internal)
314-387-0189 (Mobile)
 <mailto:jward at bdo.com> jward at bdo.com

BDO
101 S Hanley Rd, Suite 800
St. Louis, MO 63105 
UNITED STATES
314-889-1100
 <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bdo.com%2F&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934743624&sdata=MaTayfWwLCre5tMap0dIGLHxGqbD8zfoRZ3uc6kbNAI%3D&reserved=0> www.bdo.com

 <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffileexchange.bdo.com%2F&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934743624&sdata=oC%2FLdDf2lY4unYWC5E4j29wuO%2Br334l8iuqBISNMitM%3D&reserved=0> BDO File Exchange (secure file sharing)

Please consider the environment before printing this e-mail

 <https://www.bdo.com/resource-centers/understanding-the-business-impacts-of-covid-19> 

From: Smcwg-public <smcwg-public-bounces at cabforum.org <mailto:smcwg-public-bounces at cabforum.org> > On Behalf Of ??? via Smcwg-public
Sent: Wednesday, August 19, 2020 9:29 PM
To: 'SMIME Certificate Working Group' <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> >
Subject: Re: [Smcwg-public] Audit Schem of a S/MIME CA

 

Attention: This email was sent from someone outside of BDO USA. Always use caution when opening attachments or clicking links from unknown senders or when receiving unexpected emails.

There are some typo in previous e-mail, such as  “audit schema” should be “audit scheme”,  “I wonder to know certificate consumers member and CPA Canada’s opinion.” should be  “I wonder to know certificate consumers members’ and CPA Canada WebTrust  Task Force’s opinion.”

 

Thanks. 

 

       Li-Chun

 

From: Smcwg-public <smcwg-public-bounces at cabforum.org <mailto:smcwg-public-bounces at cabforum.org> > On Behalf Of 陳立群 via Smcwg-public
Sent: Thursday, August 20, 2020 8:59 AM
To: 'SMIME Certificate Working Group' <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> >
Subject: [外部郵件] [Smcwg-public] Audit Schem of a S/MIME CA

 

I wonder the audit schema of an issuing CA issue S/MIME certificate as the issuing CA 2 (S/MIME Certificates) in upper diagram of page 10 of WebTrust for CA 2.2 (https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/webtrust-for-ca-22.pdf?la=en <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpacanada.ca%2F-%2Fmedia%2Fsite%2Foperational%2Fms-member-services%2Fdocs%2Fwebtrust%2Fwebtrust-for-ca-22.pdf%3Fla%3Den%26hash%3D76D4C1F8363D563CE7FC09031E54ACA2EBFE3E3A&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934753587&sdata=0t3UaDinP2W%2Blgg3dMVsUFNR1RTpmRgE8VbprzsaAeI%3D&reserved=0> &hash=76D4C1F8363D563CE7FC09031E54ACA2EBFE3E3A) .

 

>From the WebTrust for Certification Authorities - Audit Applicability Matrix (https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpacanada.ca%2Fen%2Fbusiness-and-accounting-resources%2Faudit-and-assurance%2Foverview-of-webtrust-services%2Fprinciples-and-criteria&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934753587&sdata=L5nxmlULugRu7zT7nR1j7gkNyxUA%2F6AAH9bcAy%2FR5SI%3D&reserved=0>  ) or as attached file, this issuing CA2  (S/MIME Certificates) belong to “Publicly-Trusted Commercial PKI - All other uses” or  “Publicly-Trusted Government PKI - All other uses” , so the audit scheme should be RKGC, Key Protection and WebTrust.

 

But someone may argue as the Root CA in upper diagram of page 10 of WebTrust for CA 2.2 has website and e-mail trust bits. The issuing CA 2 (S/MIME Certificates should pass WebTurst for CA-SSL BR with Network Security Audit Criteria Principles 4.  I see  <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpacanada.ca%2F-%2Fmedia%2Fsite%2Foperational%2Fms-member-services%2Fdocs%2Fwebtrust%2Fwtbr-241-final--ssl-baseline-with-network-security-june-30-2019.pdf%3Fla%3Den%26hash%3D15117D0B4FB70FB113C7D1D88802A26FE820FB60&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934763536&sdata=PaOioIzEeszSLf2OPeRav4HjhbIfeVegL%2BoOadBSmmY%3D&reserved=0> WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security – Version 2.4.1 page 3. It said that  “However, the Network Security Requirements (Principle 4) would apply to all CAs – Root CA, CA 1, CA 2, CA 3, and CA 4.”. Note that CA-3 is a S/MIME CA. 

                      

    I wonder to know certificate consumers member and CPA Canada’s opinion. 

 

    Thanks.

 

          Li-Chun Chen 

          Chunghwa Telecom 

 

本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. 

Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.

 

 

 

本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. 

Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.

 

 



The health and safety of our people and communities is our top priority, as we all do our part to help stop the spread of COVID-19. All BDO USA offices will be closed until further notice. While we will be working from home, our already-flexible work environment enables us to make this transition seamlessly and we have the technology in place to continue to provide the same excellent level of service our clients are accustomed to. We are here if you need us, just as before, and if we can be helpful as you navigate the uncertainty, we stand ready. 

BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. 

BDO is the brand name for the BDO network and for each of the BDO Member Firms.

IMPORTANT NOTICES

The contents of this email and any attachments to it may contain privileged and confidential information from BDO USA, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO USA, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies hereof. If you have received this e-mail in error, please notify BDO USA, LLP by e-mail immediately.

 

本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. 

Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.

 

 



The health and safety of our people and communities is our top priority, as we all do our part to help stop the spread of COVID-19. All BDO USA offices will be closed until further notice. While we will be working from home, our already-flexible work environment enables us to make this transition seamlessly and we have the technology in place to continue to provide the same excellent level of service our clients are accustomed to. We are here if you need us, just as before, and if we can be helpful as you navigate the uncertainty, we stand ready. 

BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. 

BDO is the brand name for the BDO network and for each of the BDO Member Firms.

IMPORTANT NOTICES

The contents of this email and any attachments to it may contain privileged and confidential information from BDO USA, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO USA, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies hereof. If you have received this e-mail in error, please notify BDO USA, LLP by e-mail immediately.





_______________________________________________
Smcwg-public mailing list
Smcwg-public at cabforum.org <mailto:Smcwg-public at cabforum.org> 
https://lists.cabforum.org/mailman/listinfo/smcwg-public

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201023/8de05910/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 427 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201023/8de05910/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 50894 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201023/8de05910/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 59913 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201023/8de05910/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8814 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201023/8de05910/attachment-0001.p7s>


More information about the Smcwg-public mailing list