Comments (6)
Thanks, Dimitris, for pointing that out.
So in the above proposal the paragraph beginning with "ETSI Audits:" should be changed to:
ETSI Audits: Audits conducted by accredited conformity assessment bodies must have their audit statement uploaded to their auditor’s website. CAs provide the URL to the audit statements on the auditor’s website, and ALV will verify those URLs against a known list of audit locations.
And the paragraph beginning with "WebTrust Audits:" should be changed to:
WebTrust Audits: Audits conducted by licensed WebTrust practitioners must have a WebTrust Seal. CAs enter the URL to the WebTrust Seal into the CCADB, and upon saving of the record, the CCADB automatically converts the URL to point to the corresponding PDF file via integration with CPA Canada.
from www.ccadb.org.
Here's what I would like to specify regarding formats of the data in audit statements.
- Accepted certificate thumbprint/fingerprint format:
- MUST: No colons, no spaces, and no linefeeds
- MUST: Uppercase letters
- SHOULD: be encoded in the document (PDF) as “selectable” text, not an image
- Accepted date formats (month names in English):
- Month DD, YYYY example: May 7, 2016
- DD Month YYYY example: 7 May 2016
- YYYY-MM-DD example: 2016-05-07
- No extra text within the date, such as “7th” or “the”
from www.ccadb.org.
As per discussion in m.d.s.p, please add section 5.1 to the Common CCADB Policy, as follows.
5.1 Audit Statement Content
CCADB uses an Audit Letter Validation (ALV) tool to automatically parse and validate audit statements. This system eliminates manual processing, but it requires audit statements to follow some basic rules in order to function properly. If the audit statement fails to meet any of the following requirements, the CA will be asked to work with their auditor to provide an audit statement that passes ALV.
Audit statements listed in the CCADB must contain at least the following clearly-labelled information in English:
- Name and address of the organization performing the audit;
- Full name of the CA that was audited;
- SHA-256 fingerprint of each root and intermediate certificate that was in scope of the audit (see format specifications below);
- List of the CA policy documents (with version numbers) referenced during the audit;
- Whether the audit is for a period of time or a point in time;
- Date the audit statement was written, which will necessarily be after the audit period end date or point-in-time date (see date format specifications below);
- Start date and end date of the period that was audited, for those that cover a period of time (this is not the period the auditor was on-site);
- Point-in-time date, for those that are for a point in time;
- Full names and version numbers of the audit standards that were used during the audit; and
- For ETSI, a statement to indicate if the audit was a full audit, and which parts of the criteria were applied, e.g. DVCP, OVCP, NCP, NCP+, LCP, EVCP, EVCP+, QCP-w, Part1 (General Requirements), and/or Part 2 (Requirements for trust service providers).
ETSI Audits: Audits conducted by certified ETSI auditors must have their audit statement uploaded to their auditor’s website. CAs provide the URL to the audit statements on the auditor’s website, and ALV will verify those URLs against a known list of audit locations.
WebTrust Audits: Audits conducted by certified WebTrust auditors must have a WebTrust Seal. CAs enter the URL to the WebTrust Seal into the CCADB, and upon saving of the record, the CCADB automatically converts the URL to point to the corresponding PDF file via integration with CPA Canada.
- For qualified WebTrust audits, the CA may post the audit statements on their own website or attach the audit statement to a Bugzilla Bug and provide that URL. Additionally, the CA needs to provide an explanation about the findings and time frame for resolution of the findings.
Format Specifications for SHA-256 Fingerprints:
- MUST: No colons, no spaces, and no line feeds
- MUST: Uppercase letters
- SHOULD: be encoded in the document (PDF) as select-able text, not an image
Format Specifications for Dates: The following formats are accepted by ALV
- Month DD, YYYY example: May 7, 2016
- DD Month YYYY example: 7 May 2016
- YYYY-MM-DD example: 2016-05-07
- Month names in English
- No extra text within the date, such as “7th” or “the”
from www.ccadb.org.
"certified ETSI auditors" - - > "accredited conformity assessment bodies". I think the WebTrust terminology is also different, "licenced practitioners" but it's better for someone from the WebTrust TF or ACAB-c confirm these terms so we are all on the same page.
from www.ccadb.org.
I have incorporated feedback from representatives of ETSI and WebTrust.
5.1 Audit Statement Content
CCADB uses an Audit Letter Validation (ALV) tool to automatically parse and validate audit statements. This system eliminates manual processing, but it requires audit statements to follow some basic rules in order to function properly. If the audit statement fails to meet any of the following requirements, the CA will be asked to work with their auditor to provide an audit statement that passes ALV.
Audit statements listed in the CCADB must contain at least the following clearly-labelled information in English:
- Name and address of the organization performing the audit;
- Full name of the CA that was audited;
- SHA-256 fingerprint of each root and intermediate certificate that was in scope of the audit (see format specifications below);
- List of the CA policy documents (with version numbers) referenced during the audit;
- Whether the audit is for a period of time or a point in time;
- Date the audit statement was written, which will necessarily be after the audit period end date or point-in-time date (see date format specifications below);
- Start date and end date of the period that was audited, for those that cover a period of time (this is not the period the auditor was on-site);
- Point-in-time date, for those that are for a point in time;
- Full names and version numbers of the audit standards that were used during the audit; and
- For ETSI, a statement to indicate if the audit was a full audit, and which parts of the criteria were applied, e.g. DVCP, OVCP, NCP, NCP+, LCP, EVCP, EVCP+, QCP-w, Part1 (General Requirements), and/or Part 2 (Requirements for trust service providers).
Audits based on ETSI CPs: Audits conducted by accredited conformity assessment bodies (CAB) must have their Audit Attestation Letter (AAL) uploaded to the CAB’s website. CAs provide the URL to the AAL on the CAB’s website, and ALV will verify those URLs against a known list of AAL locations.
- When an ETSI Certificate cannot be issued, the CA must still provide an AAL such that there are no gaps between audit periods for consecutive audits. The CA may post the AAL on their own website or attach the attestation report to a Bugzilla Bug and provide that URL. Additionally, the CA needs to provide an explanation about the problems and time frame for resolution of the problems.
WebTrust Audits: Audits conducted by licensed WebTrust practitioners must have a WebTrust Seal. CAs enter the URL to the WebTrust Seal into the CCADB, and upon saving of the record, the CCADB automatically converts the URL to point to the corresponding PDF file via integration with CPA Canada.
- For qualified WebTrust audits, the CA may post the audit statements on their own website or attach the audit statement to a Bugzilla Bug and provide that URL. Additionally, the CA needs to provide an explanation about the findings and time frame for resolution of the findings.
Format Specifications for SHA-256 Fingerprints:
- MUST: No colons, no spaces, and no line feeds
- MUST: Uppercase letters
- HOULD: be encoded in the document (PDF) as select-able text, not an image
Format Specifications for Dates: The following formats are accepted by ALV
- Month DD, YYYY example: May 7, 2016
- DD Month YYYY example: 7 May 2016
- YYYY-MM-DD example: 2016-05-07
- Month names in English
- No extra text within the date, such as “7th” or “the”
from www.ccadb.org.
Note that there is a missing 'S' at the beginning of this bullet point:
- HOULD: be encoded in the document (PDF) as select-able text, not an image
from www.ccadb.org.
Related Issues (20)
- Add links to Mozilla section of ccadb.org/resources HOT 1
- Add Workflow Summary to https://ccadb.org/cas/updates HOT 2
- Add 'Test Preliminary Audit Statements' section to ccadb.org/cas/updates HOT 1
- CODE_OF_CONDUCT.md file missing
- Update general links from mozilla to ccadb
- Add ccadb.org/cas/request-access
- Exempt revoked intermediate CA certificates from audit updates HOT 1
- Exempt technically-constrained intermediate CA certificates from audit updates
- Expectations for intermediate certs with same Subject+SPKI where only one is technically constrained HOT 1
- Updated CCADB Agreement HOT 1
- Clarify CP/CPS disclosure requirements for cross-certificates
- Replace "CA" with "CA Owner" in CCADB Policy HOT 2
- Incident Response Update Frequency HOT 1
- Future Policy Update: Provide Address for Audit Delay Explanatory Letter HOT 3
- Website Update: Clarify Public Discussion shall not be paused
- Clarify that a separate report must be provided for each audit type
- Duplicate Content in README.md issue
- Improve Incident Reporting Template
- Describe fields disclosed in the “All Certificate Information (root and intermediate) in CCADB (CSV)” report
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from www.ccadb.org.