Closed WilsonKathleen closed 4 years ago
Here's what I would like to specify regarding formats of the data in audit statements.
1) Accepted certificate thumbprint/fingerprint format:
2) Accepted date formats (month names in English):
As per discussion in m.d.s.p, please add section 5.1 to the Common CCADB Policy, as follows.
5.1 Audit Statement Content
CCADB uses an Audit Letter Validation (ALV) tool to automatically parse and validate audit statements. This system eliminates manual processing, but it requires audit statements to follow some basic rules in order to function properly. If the audit statement fails to meet any of the following requirements, the CA will be asked to work with their auditor to provide an audit statement that passes ALV.
Audit statements listed in the CCADB must contain at least the following clearly-labelled information in English:
ETSI Audits: Audits conducted by certified ETSI auditors must have their audit statement uploaded to their auditor’s website. CAs provide the URL to the audit statements on the auditor’s website, and ALV will verify those URLs against a known list of audit locations.
WebTrust Audits: Audits conducted by certified WebTrust auditors must have a WebTrust Seal. CAs enter the URL to the WebTrust Seal into the CCADB, and upon saving of the record, the CCADB automatically converts the URL to point to the corresponding PDF file via integration with CPA Canada.
Format Specifications for SHA-256 Fingerprints:
Format Specifications for Dates: The following formats are accepted by ALV
"certified ETSI auditors" - - > "accredited conformity assessment bodies". I think the WebTrust terminology is also different, "licenced practitioners" but it's better for someone from the WebTrust TF or ACAB-c confirm these terms so we are all on the same page.
Thanks, Dimitris, for pointing that out.
So in the above proposal the paragraph beginning with "ETSI Audits:" should be changed to:
ETSI Audits: Audits conducted by accredited conformity assessment bodies must have their audit statement uploaded to their auditor’s website. CAs provide the URL to the audit statements on the auditor’s website, and ALV will verify those URLs against a known list of audit locations.
And the paragraph beginning with "WebTrust Audits:" should be changed to:
WebTrust Audits: Audits conducted by licensed WebTrust practitioners must have a WebTrust Seal. CAs enter the URL to the WebTrust Seal into the CCADB, and upon saving of the record, the CCADB automatically converts the URL to point to the corresponding PDF file via integration with CPA Canada.
I have incorporated feedback from representatives of ETSI and WebTrust.
5.1 Audit Statement Content
CCADB uses an Audit Letter Validation (ALV) tool to automatically parse and validate audit statements. This system eliminates manual processing, but it requires audit statements to follow some basic rules in order to function properly. If the audit statement fails to meet any of the following requirements, the CA will be asked to work with their auditor to provide an audit statement that passes ALV.
Audit statements listed in the CCADB must contain at least the following clearly-labelled information in English:
Audits based on ETSI CPs: Audits conducted by accredited conformity assessment bodies (CAB) must have their Audit Attestation Letter (AAL) uploaded to the CAB’s website. CAs provide the URL to the AAL on the CAB’s website, and ALV will verify those URLs against a known list of AAL locations.
WebTrust Audits: Audits conducted by licensed WebTrust practitioners must have a WebTrust Seal. CAs enter the URL to the WebTrust Seal into the CCADB, and upon saving of the record, the CCADB automatically converts the URL to point to the corresponding PDF file via integration with CPA Canada.
Format Specifications for SHA-256 Fingerprints:
Format Specifications for Dates: The following formats are accepted by ALV
Note that there is a missing 'S' at the beginning of this bullet point:
Update the CCADB policy to specify the format for the dates and the certificate thumbprints, so that ALV will have a higher success rate. This has become more important now that ALV has been extended to intermediate certificate records.