search

mozilla / www.ccadb.org

Website about the Mozilla-run Common CA Database
9 stars 12 forks source link

Add section to CCADB Policy to specify audit statement content and format for dates and cert thumbprints #33

Closed WilsonKathleen closed 4 years ago

WilsonKathleen commented 4 years ago

Update the CCADB policy to specify the format for the dates and the certificate thumbprints, so that ALV will have a higher success rate. This has become more important now that ALV has been extended to intermediate certificate records.

WilsonKathleen commented 4 years ago

Here's what I would like to specify regarding formats of the data in audit statements.

1) Accepted certificate thumbprint/fingerprint format:

2) Accepted date formats (month names in English):

WilsonKathleen commented 4 years ago

As per discussion in m.d.s.p, please add section 5.1 to the Common CCADB Policy, as follows.

5.1 Audit Statement Content

CCADB uses an Audit Letter Validation (ALV) tool to automatically parse and validate audit statements. This system eliminates manual processing, but it requires audit statements to follow some basic rules in order to function properly. If the audit statement fails to meet any of the following requirements, the CA will be asked to work with their auditor to provide an audit statement that passes ALV.

Audit statements listed in the CCADB must contain at least the following clearly-labelled information in English:

  1. Name and address of the organization performing the audit;
  2. Full name of the CA that was audited;
  3. SHA-256 fingerprint of each root and intermediate certificate that was in scope of the audit (see format specifications below);
  4. List of the CA policy documents (with version numbers) referenced during the audit;
  5. Whether the audit is for a period of time or a point in time;
  6. Date the audit statement was written, which will necessarily be after the audit period end date or point-in-time date (see date format specifications below);
  7. Start date and end date of the period that was audited, for those that cover a period of time (this is not the period the auditor was on-site);
  8. Point-in-time date, for those that are for a point in time;
  9. Full names and version numbers of the audit standards that were used during the audit; and
  10. For ETSI, a statement to indicate if the audit was a full audit, and which parts of the criteria were applied, e.g. DVCP, OVCP, NCP, NCP+, LCP, EVCP, EVCP+, QCP-w, Part1 (General Requirements), and/or Part 2 (Requirements for trust service providers).

ETSI Audits: Audits conducted by certified ETSI auditors must have their audit statement uploaded to their auditor’s website. CAs provide the URL to the audit statements on the auditor’s website, and ALV will verify those URLs against a known list of audit locations.

WebTrust Audits: Audits conducted by certified WebTrust auditors must have a WebTrust Seal. CAs enter the URL to the WebTrust Seal into the CCADB, and upon saving of the record, the CCADB automatically converts the URL to point to the corresponding PDF file via integration with CPA Canada.

Format Specifications for SHA-256 Fingerprints:

Format Specifications for Dates: The following formats are accepted by ALV

dzacharo commented 4 years ago

"certified ETSI auditors" - - > "accredited conformity assessment bodies". I think the WebTrust terminology is also different, "licenced practitioners" but it's better for someone from the WebTrust TF or ACAB-c confirm these terms so we are all on the same page.

WilsonKathleen commented 4 years ago

Thanks, Dimitris, for pointing that out.

So in the above proposal the paragraph beginning with "ETSI Audits:" should be changed to:

ETSI Audits: Audits conducted by accredited conformity assessment bodies must have their audit statement uploaded to their auditor’s website. CAs provide the URL to the audit statements on the auditor’s website, and ALV will verify those URLs against a known list of audit locations.

And the paragraph beginning with "WebTrust Audits:" should be changed to:

WebTrust Audits: Audits conducted by licensed WebTrust practitioners must have a WebTrust Seal. CAs enter the URL to the WebTrust Seal into the CCADB, and upon saving of the record, the CCADB automatically converts the URL to point to the corresponding PDF file via integration with CPA Canada.

WilsonKathleen commented 4 years ago

I have incorporated feedback from representatives of ETSI and WebTrust.

5.1 Audit Statement Content

CCADB uses an Audit Letter Validation (ALV) tool to automatically parse and validate audit statements. This system eliminates manual processing, but it requires audit statements to follow some basic rules in order to function properly. If the audit statement fails to meet any of the following requirements, the CA will be asked to work with their auditor to provide an audit statement that passes ALV.

Audit statements listed in the CCADB must contain at least the following clearly-labelled information in English:

  1. Name and address of the organization performing the audit;
  2. Full name of the CA that was audited;
  3. SHA-256 fingerprint of each root and intermediate certificate that was in scope of the audit (see format specifications below);
  4. List of the CA policy documents (with version numbers) referenced during the audit;
  5. Whether the audit is for a period of time or a point in time;
  6. Date the audit statement was written, which will necessarily be after the audit period end date or point-in-time date (see date format specifications below);
  7. Start date and end date of the period that was audited, for those that cover a period of time (this is not the period the auditor was on-site);
  8. Point-in-time date, for those that are for a point in time;
  9. Full names and version numbers of the audit standards that were used during the audit; and
  10. For ETSI, a statement to indicate if the audit was a full audit, and which parts of the criteria were applied, e.g. DVCP, OVCP, NCP, NCP+, LCP, EVCP, EVCP+, QCP-w, Part1 (General Requirements), and/or Part 2 (Requirements for trust service providers).

Audits based on ETSI CPs: Audits conducted by accredited conformity assessment bodies (CAB) must have their Audit Attestation Letter (AAL) uploaded to the CAB’s website. CAs provide the URL to the AAL on the CAB’s website, and ALV will verify those URLs against a known list of AAL locations.

WebTrust Audits: Audits conducted by licensed WebTrust practitioners must have a WebTrust Seal. CAs enter the URL to the WebTrust Seal into the CCADB, and upon saving of the record, the CCADB automatically converts the URL to point to the corresponding PDF file via integration with CPA Canada.

Format Specifications for SHA-256 Fingerprints:

Format Specifications for Dates: The following formats are accepted by ALV

WilsonKathleen commented 4 years ago

Note that there is a missing 'S' at the beginning of this bullet point: