I believe we discussed this at the CA/B Forum meeting in Cupertino where
it was explained that an RA can be audited with the existing
ETSI/WebTrust criteria by only listing the necessary criteria relevant
to RA operations. So, for the ETSI example, an RA would be audited
against ETSI EN 319 411-1 by listing the most of the requirements of 319
401 and the relevant sections of 411-1 for RA operations. This scope
would be clearly indicated in the attestation letter, allowing the CA to
have an independent auditor's opinion of the RA operations of a
delegated third party.
I believe WebTrust for RAs has made a great job of defining the relevant
criteria and separating them in a different document. ETSI has done
something similar by identifying "service components" in EN 319 411-1
(OVR, REG, REV, DIS, and so on).
Dimitris.
On 18/6/2019 8:51 μ.μ., Ryan Sleevi via Public wrote:
On Tue, Jun 18, 2019 at 1:35 PM Jeremy Rowley via Public
<[email protected] <mailto:[email protected]>> wrote:
I think I heard the WebTrust auditors say last week that they have
finished or nearly finished the WebTrust for RAs criteria. The
language from Section 8.4 of the guidelines reads:
“For Delegated Third Parties which are not Enterprise RAs,, then
the CA SHALL obtain an audit report, issued under the auditing
standards that underlie the accepted audit schemes found in
Section 8.1, that provides an opinion whether the Delegated Third
Party’s performance complies with either the Delegated Third
Party’s practice statement or the CA’s Certificate Policy and/or
Certification Practice Statement. If the opinion is that the
Delegated Third Party does not comply, then the CA SHALL not allow
the Delegated Third Party to continue performing delegated functions.”
We know some CAs use RAs that are not audited under WebTrust/ETSI
because “there is no appropriate audit standard”. Now that there
is an audit standards, it seems to me this criteria goes into
effect immediately and any RA not audited would cause the CA to be
out of compliance with the BRs. No additional ballot required
since the concept is already baked into the BRs.
Anyone have a different interpretation? If not, when is the exact
date that the audits should be done? Already?
TL;DR: Don't worry. I don't think there's an impending doom date.
Officially, Chrome is not planning to immediately enforce the WebTrust
for RAs audit, and is still evaluating the most effective means to use
and consume this.
For best results, however, don't use RAs ;)
Here's the alternative interpretation I'll over you:
The "auditing standards that underlie the accepted audit criteria"
are, in the case of WebTrust, are SSAE 18 (US), CSAE 3000 - 3001 (CA),
and ISAE 3000 (elsewhere), with potentially jurisidiction-specific
(self-?)regulatory requirements or modifications, similar to the US/CA
harmonization with IFAC.
The "auditing standards that underlie the accepted audit criteria"
are, for ETSI EN 319 411-1 and ETSI EN 319 403, either (depending on
your perspective of "standard"), going to be seen as:
a) ETSI EN 319 411-1 / ETSI EN 319 403
b) ISO/IEC 17065
The former takes the view that the ETSI ESI documents are themselves
the standards for auditing, in that they define a set of standards
appropriate for "an" audit scheme, although absent the eIDAS
Regulation lacks any normative guidance about who the defining
authority is for the appropriate auditor (compared to IFAC and its
constituent organizations, which does).
The latter takes the view that the ETSI ESI documents are themselves
adopted from the ISO/IEC standards and guidance on the development of
certification schemes (which covers a broad scheme of activities), and
that any scheme derived from the principles of 17065 is suitably
empowered. It, similarly, lacks the guidance as to who can perform the
assessments, since that is the role of the scheme operator (e.g. EU in
the case of eIDAS)
The "nice" thing about these interpretations is that for CAs that are
concerned about being beyond reproach, but still make the
(unfortunate) choice to make use of delegated third parties, they can
read these requirements as using the relevant criteria from WebTrust
or ETSI, under the existing supervisory scheme, and argue compliance.
CAs that don't like to/don't want to know what their RAs are doing,
and aren't as concerned about security, could reasonably argue that
the applicability of the underlying standard means the CA defines what
the expectations are (for example, an "Agreed Upon Procedures" report
- which I'm sure Don and Jeff will jump in mentioning the CSAE
limitations there), and then allow 'anyone' to perform that audit,
modulo the IFAC standards with respect to professional licensure.
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
