Ballot 24 – Acceptable Audits in EV Processing Guidelines
Ballot 24 – Acceptable Audits in EV Processing Guidelines (Passed Unanimously)
Motion
Stephen Davidson made the following motion and it was endorsed by Ben Wilson and Johnathan Nightingale.
Motion begins
Effective 13 Feb 2009, the EV Processing Requirements should be amended in accordance with the following erratum. For inclusion of an EV CA, the current EV Processing Requirements refer to “an acceptable audit program” whereas the EV Guidelines are more specific in Section J, referring to “equivalent audit procedures approved by the CA/Browser Forum”. At this time the only approved procedures are the (i) WebTrust Program for CAs audit and (ii) WebTrust EV Program audit. Equivalent audit procedures for ETSI are currently being developed, and will soon be considered by the CA/B Forum for approval.
Erratum begins
- Delete the following paragraph from Section 6.1 of the Guidelines for the Processing of Extended Validation Certificates v1.0:
“An application developer shall recognize a CSP that is qualified to issue EV certificates by means of the CSP’s audit report. The application developer must check that the report was issued by an auditor certified to conduct audits in accordance with an acceptable audit program. The report must be current and it must identify no outstanding deficiencies.”
Insert the following paragraph:
“An application developer shall recognize a CSP that is qualified to issue EV certificates by means of the CSP’s audit report. The application developer must check that the report was issued by an auditor certified to conduct audits in accordance with an audit program approved by the CA/Browser Forum as recorded in [ISSU] or approved errata. The report must be current and it must identify no outstanding deficiencies.”
- Delete the following paragraph from Section 14 of the Guidelines for the Processing of Extended Validation Certificates v1.0:
“Perhaps the most serious threat to the security of extended validation is the possibility that any one of the CSPs upon which the application relies fails to conform, or maintain conformance with, the EV requirements for issuance and management [ISSU]. The main safeguard against this possibility is the CSP audit. Therefore, it is important that the application developer confirm that the CSP’s audit is current, identifies no deficiencies and was conducted by a properly qualified auditor. The audit should provide a level of assurance equivalent to that of a WebTrust for CAs EV audit. See:
http://www.webtrust.org/index.cfm/ci_id/43988/la_id/1.htm”
Insert the following paragraph:
“Perhaps the most serious threat to the security of extended validation is the possibility that any one of the CSPs upon which the application relies fails to conform, or maintain conformance with, the EV requirements for issuance and management [ISSU]. The main safeguard against this possibility is the CSP audit. Therefore, it is important that the application developer confirm that the CSP’s audit is current, identifies no deficiencies and was conducted by a properly qualified auditor. The audit program must be approved by the CA/Browser Forum as recorded in [ISSU] or approved errata. In general, claims of equivalence to an approved audit program are not acceptable.”
Erratum ends
Motion ends
The ballot review period comes into effect at 2200 UTC on 30 Jan 2009, and will close at 2200 UTC on 6 Feb 2009. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on 13 Feb 2009.
Votes must be cast by ‘reply all’ to this email.
A vote in favour of the motion must indicate a clear ‘yes’ in the response. A vote against must indicate a clear ‘no’ in the response. A vote to abstain must indicate a clear ‘abstain’ in the response. Unclear responses will not be counted.