info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Clarification about WebTrust CA and WebTrust BR audit statements
150 views
Skip to first unread message
Kathleen Wilson
Feb 2, 2015, 2:32:33 PM2/2/15
to mozilla-dev-s...@lists.mozilla.org
I have been asked the following question about why both the "Principles
and Criteria for Certification Authorities 2.0” and the “SSL Baseline
Requirements Audit Criteria” are required.
== Question ==
As far as we know the principles of both standards are identical, except
for technical network security specifications “SSL Requirements Baseline
Audit Criteria” as shown in the following matrix::
WT CA 2.0 CA Principles -- WT BR SSL 2.0 Principles
P1. CA Business Practices Disclosure -- P1. Baseline Requirements
Business Practices Disclosure
P2. CA Environmental Controls -- P3. CA Environmental Security
P3. Service Integrity -- P2. Service Integrity
none -- P4. Network and Certificate Systems Security Requirements
We consider that is enough to comply with “SSL Baseline Requirements
Audit Criteria” for the certifications under the scope. Would you be so
kind to let us know the reason to ask for both standards? Based on our
understanding, this situation increases the costs of accreditation for
quality, security and reliability of WebTrust, ... in addition to cause
confusion.
Please, we would like to clarify this issue.
== END Question ==
My question: If the CA is only requesting the Websites trust bit
(non-EV), then is it sufficient for them to only get a WebTrust BR audit
statement?
Of course, if the CA is also requesting the email and code signing trust
bits, then they must have an audit statement that applies to email and
code signing certs (i.e. WebTrust BR audit statement alone is not
sufficient).
Kathleen
and Criteria for Certification Authorities 2.0” and the “SSL Baseline
Requirements Audit Criteria” are required.
== Question ==
As far as we know the principles of both standards are identical, except
for technical network security specifications “SSL Requirements Baseline
Audit Criteria” as shown in the following matrix::
WT CA 2.0 CA Principles -- WT BR SSL 2.0 Principles
P1. CA Business Practices Disclosure -- P1. Baseline Requirements
Business Practices Disclosure
P2. CA Environmental Controls -- P3. CA Environmental Security
P3. Service Integrity -- P2. Service Integrity
none -- P4. Network and Certificate Systems Security Requirements
We consider that is enough to comply with “SSL Baseline Requirements
Audit Criteria” for the certifications under the scope. Would you be so
kind to let us know the reason to ask for both standards? Based on our
understanding, this situation increases the costs of accreditation for
quality, security and reliability of WebTrust, ... in addition to cause
confusion.
Please, we would like to clarify this issue.
== END Question ==
My question: If the CA is only requesting the Websites trust bit
(non-EV), then is it sufficient for them to only get a WebTrust BR audit
statement?
Of course, if the CA is also requesting the email and code signing trust
bits, then they must have an audit statement that applies to email and
code signing certs (i.e. WebTrust BR audit statement alone is not
sufficient).
Kathleen
Kathleen Wilson
Feb 3, 2015, 12:50:41 PM2/3/15
to mozilla-dev-s...@lists.mozilla.org
SSL Baseline only cover the CAB baseline requirements and do not cover
the more detailed requirements for WebTrust certification (and initial
acceptance). WebTrust for CA covers accepted practices for a CA -
additional SSL Baseline were brought in just to deal with specific
additional issues.
0 new messages