[Smcwg-public] Audit Schem of a S/MIME CA
陳立群
realsky at cht.com.tw
Fri Oct 23 03:20:55 MST 2020
Dear Dimitris,
Thank you very much for your two URL that we had ever red . We have ever asked Microsoft Root Program and got the replying.
Sincerely Yours,
Li-Chun
From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Dimitris Zacharopoulos (HARICA) via Smcwg-public
Sent: Thursday, October 22, 2020 2:45 PM
To: smcwg-public at cabforum.org
Subject: [外部郵件] Re: [Smcwg-public] Audit Schem of a S/MIME CA
Li-Chun,
The applicable audit requirements for S/MIME Issuing CAs are described in the various Root Program sites. Check out the following for Mozilla and Microsoft:
* https://github.com/mozilla/pkipolicy/blob/2.7/rootstore/policy.md#312-required-audits
* https://docs.microsoft.com/en-us/security/trusted-root/audit-requirements#a-webtrust-audits
Hope this helps.
Dimitris.
On 2020-10-22 4:17 π.μ., 陳立群 via Smcwg-public wrote:
if we setup a new intermediate S/MIME CA chains up to our Root with EKU such as Secured Email, Client Authentication, Server Authentication. The S/MIME CA’s CA certificate and EE Certificates will contain an id-kp-emailProtection and Client authentication Extended Key Usage (EKU) extension. From RFC 5280, this CA will not has the ability to issue SSL/TLS certs. Besides Web Trust for CA , will this new intermediate S/MIME CA need to pass the Principles 4 of WebTurst for CA-SSL BR with Network Security Audit (It corresponds to NETWORK AND CERTIFICATE SYSTEMSECURITY REQUIREMENTS )? For Google or Mozilla, they use EKU Chaining and from Mozilla policy 3.1.2.1, the new intermediate S/MIME CA need not pass the Principles 4 of WebTurst for CA-SSL BR with Network Security Audit . But It is not clear in Apple’s Root Program Policy. Does CISCO support S/MIME trust bit/EKU?
But from Page 1 of these Network and Certificate System Security Requirements (Requirements) , it said “it apply to all publicly trusted Certification Authorities (CAs). Or Network and Certificate System Security Requirements (Requirements) only apples to SSL CA. Principles 4 of WebTurst for CA-SSL BR with Network Security Audit only applies to an intermediate CA with CA certificates that contained anyEKU or without EKU but those intermediate CA doesn’t issue SSL/TLS certificates.
Li-Chun Chen
From: Jeff Ward <mailto:jward at bdo.com> <jward at bdo.com>
Sent: Sunday, August 23, 2020 4:59 AM
To: 陳立群 <mailto:realsky at cht.com.tw> <realsky at cht.com.tw>; 'SMIME Certificate Working Group' <mailto:smcwg-public at cabforum.org> <smcwg-public at cabforum.org>
Subject: [外部郵件] Re: [Smcwg-public] Audit Schem of a S/MIME CA
If the CA either issues or has the ability to issue SSL/TLS certs, baseline requirements apply.
Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH
National Managing Partner Third Party Attestation
(SOC/WebTrust/Cybersecurity)
314-889-1220 (Direct) 347-1220 (Internal)
jward at bdo.com <mailto:jward at bdo.com>
BDO
101 S Hanley Rd, #800
St. Louis, MO 63105
UNITED STATES
314-889-1100
www.bdo.com <http://www.bdo.com>
Please consider the environment before printing this e-mail
_____
From: 陳立群 <realsky at cht.com.tw <mailto:realsky at cht.com.tw> >
Sent: Friday, August 21, 2020 6:59 AM
To: Jeff Ward <jward at bdo.com <mailto:jward at bdo.com> >; 'SMIME Certificate Working Group' <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> >
Subject: RE: [Smcwg-public] Audit Schem of a S/MIME CA
Attention: This email was sent from someone outside of BDO USA. Always use caution when opening attachments or clicking links from unknown senders or when receiving unexpected emails.
Dear Jeff,
Thank you very much for your information.
In the example diagram, issuing CA 2 would need to receive a Webtrust for CA based on Microsoft Audit Requirements of Microsoft Trusted Root Certificate Program. Issuing CA 2 need not to receive the Network Security Requirements (Principle 4). Right?
https://docs.microsoft.com/en-us/security/trusted-root/audit-requirements <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsecurity%2Ftrusted-root%2Faudit-requirements&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934723710&sdata=bjuQGRuH%2F2ZpSoMCd5QS5SE4o1kiw3GkM4VqhsdZ9QA%3D&reserved=0>
It is not clear about audit scheme for S/MIME CA from Apple’s root program webpage https://www.apple.com/certificateauthority/ca_program.html <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.apple.com%2Fcertificateauthority%2Fca_program.html&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934733666&sdata=5i%2BqhxM2B%2BbS3jTlJ6GoQWCW93cEt3ZpjqtBaJUbYrM%3D&reserved=0> and Chrome’s Root Certificate Policy https://sites.google.com/a/chromium.org/dev/Home/chromium-security/root-ca-policy <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsites.google.com%2Fa%2Fchromium.org%2Fdev%2FHome%2Fchromium-security%2Froot-ca-policy&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934733666&sdata=D50EiEdUS5ZasG3Feo%2BBCMMb2Aqg0E3noyQ%2F0GettuU%3D&reserved=0> .
Li-Chun Chen
Chunghwa Telecom
From: Jeff Ward <jward at bdo.com <mailto:jward at bdo.com> >
Sent: Thursday, August 20, 2020 10:26 PM
To: 陳立群 <realsky at cht.com.tw <mailto:realsky at cht.com.tw> >; SMIME Certificate Working Group <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> >
Subject: [外部郵件] RE: [Smcwg-public] Audit Schem of a S/MIME CA
In the example diagram, Issuing CA 2 would need to receive a WebTrust for CA based on Mozilla policy 3.1.2.1.
Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH
National Managing Partner Third Party Attestation (SOC/WebTrust/Cybersecurity)
314-889-1220 (Direct) 347-1220 (Internal)
314-387-0189 (Mobile)
<mailto:jward at bdo.com> jward at bdo.com
BDO
101 S Hanley Rd, Suite 800
St. Louis, MO 63105
UNITED STATES
314-889-1100
<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bdo.com%2F&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934743624&sdata=MaTayfWwLCre5tMap0dIGLHxGqbD8zfoRZ3uc6kbNAI%3D&reserved=0> www.bdo.com
<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffileexchange.bdo.com%2F&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934743624&sdata=oC%2FLdDf2lY4unYWC5E4j29wuO%2Br334l8iuqBISNMitM%3D&reserved=0> BDO File Exchange (secure file sharing)
Please consider the environment before printing this e-mail
<https://www.bdo.com/resource-centers/understanding-the-business-impacts-of-covid-19>
From: Smcwg-public <smcwg-public-bounces at cabforum.org <mailto:smcwg-public-bounces at cabforum.org> > On Behalf Of ??? via Smcwg-public
Sent: Wednesday, August 19, 2020 9:29 PM
To: 'SMIME Certificate Working Group' <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> >
Subject: Re: [Smcwg-public] Audit Schem of a S/MIME CA
Attention: This email was sent from someone outside of BDO USA. Always use caution when opening attachments or clicking links from unknown senders or when receiving unexpected emails.
There are some typo in previous e-mail, such as “audit schema” should be “audit scheme”, “I wonder to know certificate consumers member and CPA Canada’s opinion.” should be “I wonder to know certificate consumers members’ and CPA Canada WebTrust Task Force’s opinion.”
Thanks.
Li-Chun
From: Smcwg-public <smcwg-public-bounces at cabforum.org <mailto:smcwg-public-bounces at cabforum.org> > On Behalf Of 陳立群 via Smcwg-public
Sent: Thursday, August 20, 2020 8:59 AM
To: 'SMIME Certificate Working Group' <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> >
Subject: [外部郵件] [Smcwg-public] Audit Schem of a S/MIME CA
I wonder the audit schema of an issuing CA issue S/MIME certificate as the issuing CA 2 (S/MIME Certificates) in upper diagram of page 10 of WebTrust for CA 2.2 (https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/webtrust-for-ca-22.pdf?la=en <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpacanada.ca%2F-%2Fmedia%2Fsite%2Foperational%2Fms-member-services%2Fdocs%2Fwebtrust%2Fwebtrust-for-ca-22.pdf%3Fla%3Den%26hash%3D76D4C1F8363D563CE7FC09031E54ACA2EBFE3E3A&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934753587&sdata=0t3UaDinP2W%2Blgg3dMVsUFNR1RTpmRgE8VbprzsaAeI%3D&reserved=0> &hash=76D4C1F8363D563CE7FC09031E54ACA2EBFE3E3A) .
>From the WebTrust for Certification Authorities - Audit Applicability Matrix (https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpacanada.ca%2Fen%2Fbusiness-and-accounting-resources%2Faudit-and-assurance%2Foverview-of-webtrust-services%2Fprinciples-and-criteria&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934753587&sdata=L5nxmlULugRu7zT7nR1j7gkNyxUA%2F6AAH9bcAy%2FR5SI%3D&reserved=0> ) or as attached file, this issuing CA2 (S/MIME Certificates) belong to “Publicly-Trusted Commercial PKI - All other uses” or “Publicly-Trusted Government PKI - All other uses” , so the audit scheme should be RKGC, Key Protection and WebTrust.
But someone may argue as the Root CA in upper diagram of page 10 of WebTrust for CA 2.2 has website and e-mail trust bits. The issuing CA 2 (S/MIME Certificates should pass WebTurst for CA-SSL BR with Network Security Audit Criteria Principles 4. I see <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cpacanada.ca%2F-%2Fmedia%2Fsite%2Foperational%2Fms-member-services%2Fdocs%2Fwebtrust%2Fwtbr-241-final--ssl-baseline-with-network-security-june-30-2019.pdf%3Fla%3Den%26hash%3D15117D0B4FB70FB113C7D1D88802A26FE820FB60&data=02%7C01%7Cjward%40bdo.com%7C685fa1eadc9e41e6072808d845c9b564%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C1%7C637336079934763536&sdata=PaOioIzEeszSLf2OPeRav4HjhbIfeVegL%2BoOadBSmmY%3D&reserved=0> WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security – Version 2.4.1 page 3. It said that “However, the Network Security Requirements (Principle 4) would apply to all CAs – Root CA, CA 1, CA 2, CA 3, and CA 4.”. Note that CA-3 is a S/MIME CA.
I wonder to know certificate consumers member and CPA Canada’s opinion.
Thanks.
Li-Chun Chen
Chunghwa Telecom
本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.
本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.
The health and safety of our people and communities is our top priority, as we all do our part to help stop the spread of COVID-19. All BDO USA offices will be closed until further notice. While we will be working from home, our already-flexible work environment enables us to make this transition seamlessly and we have the technology in place to continue to provide the same excellent level of service our clients are accustomed to. We are here if you need us, just as before, and if we can be helpful as you navigate the uncertainty, we stand ready.
BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms.
BDO is the brand name for the BDO network and for each of the BDO Member Firms.
IMPORTANT NOTICES
The contents of this email and any attachments to it may contain privileged and confidential information from BDO USA, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO USA, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies hereof. If you have received this e-mail in error, please notify BDO USA, LLP by e-mail immediately.
本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.
The health and safety of our people and communities is our top priority, as we all do our part to help stop the spread of COVID-19. All BDO USA offices will be closed until further notice. While we will be working from home, our already-flexible work environment enables us to make this transition seamlessly and we have the technology in place to continue to provide the same excellent level of service our clients are accustomed to. We are here if you need us, just as before, and if we can be helpful as you navigate the uncertainty, we stand ready.
BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms.
BDO is the brand name for the BDO network and for each of the BDO Member Firms.
IMPORTANT NOTICES
The contents of this email and any attachments to it may contain privileged and confidential information from BDO USA, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO USA, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies hereof. If you have received this e-mail in error, please notify BDO USA, LLP by e-mail immediately.
_______________________________________________
Smcwg-public mailing list
Smcwg-public at cabforum.org <mailto:Smcwg-public at cabforum.org>
https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201023/8de05910/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 427 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201023/8de05910/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 50894 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201023/8de05910/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 59913 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201023/8de05910/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8814 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201023/8de05910/attachment-0001.p7s>
More information about the Smcwg-public
mailing list