ETSI STF 412 AUDIT GUIDELINES FOR EVC (24 TH JAN 2012)

Transcription

1 ETSI STF 412 AUDIT GUIDELINES FOR EVC (24 TH JAN 2012) Guidance on TS for Issuing Extended Validation Certificates Presented by Arno Fiedler ETSI All rights reserved

2 STF 412/438 TEAM 2 ETSI All ri ghts reserved Iñigo Barreira Arno Fiedler, Nick Pope and Christoph Sutter in Sylvie Lacroix, SEALED

3 Scope of STF 412 Guide to a framework for CAs which h want to issue Extended Validation Certificates Checklist for application of TS Policy requirements for certification authorities issuing public key certificates to CA Browser Forum EV Guidelines Harmonised EU framework for assessing conformance of CAs in line with EVC Guidelines as issued by CA/B Forum 3 ETSI All rights reserved

4 History and Status ETSI ESI develops Certification Policies for Trust Service Provider since 2000, main focus was on Qualified Certificates Redmond Meeting Nov 2007, in March 2008 (ESI#19 in BCN) idea to extend TS with CA/B Forum Requirements, In Autumn 2008 Meetings in Oslo and Bilbao and LOI between CA/B Forum and ETSI Since End of 2010: Official ETSI Special Task Force STF 412 (Guidance for EV) 4 ETSI All rights reserved

5 Scope of the work item in 2009 and 2010 Guide to a European framework (as an alternative to the Webtrust Audit) for CAs which want to issue Extended Validation Certificates Application of TS Policy requirements for certification authorities issuing public key certificates to incorporate support for CA Browser Forum Guidelines assessing conformance of CAs in line with EVC Guidelines as issued by CAB Forum 5

6 Framework for CA Audit National Accreditation Body Auditor Accreditation Requirements Mutual Agreement National Accreditation Body Certification Body CA Certification Requirements Scheme CA

7 Accreditation Bodies EA: European Cooperation for Accreditation accreditation.org ANAB: US ANSI ASQ National Accreditation Board IAF: International Accreditation Forum

8 Main Document ETSI TS Policy requirements for certification i authorities i issuing i public key certificates Generalisation of TS for uses other than qualified certificates In 2010 with Annex E of Annex E (norm.) The body carrying out the audit shall be accredited for the purpose of auditing organisations implementing the present technical specification by an official accreditation body (such as the signatories to the MLA of the European Cooperation for Accreditation as conforming to ISO/IEC [i.4].

9 412 Phase 1. Achievements and deliverables Identify detailed requirements for the application of TS to EV Certificates including the conformity assessment checklist. Produce a Technical Report (ETSI TR ) on Guidance on TS for Issuing Extended Validation Certificates for Auditors, CSP and Application software vendors. Already available for downloading from ETSI web site. 9

10 10 Phase 1. Achievements and deliverables

11 STF 412 Phase 2. Goals and deliverables Draft initial i i proposals on how EV audit might ihfit within ihi future EU Accreditation framework for CAs (CWA update) dt) Produce a Technical Report for the conformity assessment and auditing of CSP issuing EV certificates based on CWA update Produce a special report on approach to the governance and audit regime for assessment for CSP issuing EV certificates within European context Approval and Dissemination of the results 03/

12 Next step: New ETSI STF 437 ETSI ESI STF 437 is reviewing the CA/B Forum Baseline Requirements and will produce a Technical Report on: Guidance on TS for Issuing Baseline SSL Certificates for Auditors, CSP and Application software vendors Draft in June, approval in October

13 Notification: ETSI website vs TSL ETSI deployed a web site as suggested by CAB Forum. AuthoritiesandCertificationServiceProviders.aspx Issues ETSI focus on standards, not on an audit regime, so: ETSI is not aware of certifications done ETSI is not aware of audit firms Difficult to maintain ETSI is putting emphasis on TSL 13

14 Contact Thanks! 14 ETSI All rights reserved

15 Relations with other STFs. Mandate Work plan of STF 427 on CSP Assesments Deliverable 1: CSP Conformity Assessment Requirements & Guidance Based on existing CWA Aims toprovide common standard dbasis for national "CSP Supervision i & Accreditation" Includes requirements on Audit & Audit process Deliverable 2: Progression of existing TS & to European Norm Same evaluation criteria Restructured to divide out common requirements (e.g. security management and environment) requirements for service components (e.g. RA, certificate generation, revocation management...)

16 16 Relations with other STFs. Mandate 460