CA/Browser Forum
Home » All CA/Browser Forum Posts » Ballot 24 – Acceptable Audits in EV Processing Guidelines

Ballot 24 – Acceptable Audits in EV Processing Guidelines

Ballot 24 – Acceptable Audits in EV Processing Guidelines (Passed Unanimously)

Motion

Stephen Davidson made the following motion and it was endorsed by Ben Wilson and Johnathan Nightingale.

Motion begins

Effective 13 Feb 2009, the EV Processing Requirements should be amended in accordance with the following erratum. For inclusion of an EV CA, the current EV Processing Requirements refer to “an acceptable audit program” whereas the EV Guidelines are more specific in Section J, referring to “equivalent audit procedures approved by the CA/Browser Forum”. At this time the only approved procedures are the (i) WebTrust Program for CAs audit and (ii) WebTrust EV Program audit. Equivalent audit procedures for ETSI are currently being developed, and will soon be considered by the CA/B Forum for approval.

Erratum begins

  1. Delete the following paragraph from Section 6.1 of the Guidelines for the Processing of Extended Validation Certificates v1.0:

“An application developer shall recognize a CSP that is qualified to issue EV certificates by means of the CSP’s audit report. The application developer must check that the report was issued by an auditor certified to conduct audits in accordance with an acceptable audit program. The report must be current and it must identify no outstanding deficiencies.”

Insert the following paragraph:

“An application developer shall recognize a CSP that is qualified to issue EV certificates by means of the CSP’s audit report. The application developer must check that the report was issued by an auditor certified to conduct audits in accordance with an audit program approved by the CA/Browser Forum as recorded in [ISSU] or approved errata. The report must be current and it must identify no outstanding deficiencies.”

  1. Delete the following paragraph from Section 14 of the Guidelines for the Processing of Extended Validation Certificates v1.0:

“Perhaps the most serious threat to the security of extended validation is the possibility that any one of the CSPs upon which the application relies fails to conform, or maintain conformance with, the EV requirements for issuance and management [ISSU]. The main safeguard against this possibility is the CSP audit. Therefore, it is important that the application developer confirm that the CSP’s audit is current, identifies no deficiencies and was conducted by a properly qualified auditor. The audit should provide a level of assurance equivalent to that of a WebTrust for CAs EV audit. See:

http://www.webtrust.org/index.cfm/ci_id/43988/la_id/1.htm”

Insert the following paragraph:

“Perhaps the most serious threat to the security of extended validation is the possibility that any one of the CSPs upon which the application relies fails to conform, or maintain conformance with, the EV requirements for issuance and management [ISSU]. The main safeguard against this possibility is the CSP audit. Therefore, it is important that the application developer confirm that the CSP’s audit is current, identifies no deficiencies and was conducted by a properly qualified auditor. The audit program must be approved by the CA/Browser Forum as recorded in [ISSU] or approved errata. In general, claims of equivalence to an approved audit program are not acceptable.”

Erratum ends

Motion ends

The ballot review period comes into effect at 2200 UTC on 30 Jan 2009, and will close at 2200 UTC on 6 Feb 2009. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on 13 Feb 2009.

Votes must be cast by ‘reply all’ to this email.

A vote in favour of the motion must indicate a clear ‘yes’ in the response. A vote against must indicate a clear ‘no’ in the response. A vote to abstain must indicate a clear ‘abstain’ in the response. Unclear responses will not be counted.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.6 - Ballot SMC08 - Aug 29, 2024

This ballot sets a date by which issuance of certificates following the Legacy generation profiles must cease. It also includes the following minor updates: Pins the domain validation procedures to v 2.0.5 of the TLS Baseline Requirements while the ballot activity for multi-perspective validation is concluded, and the SMCWG determines its corresponding course of action; Updates the reference for SmtpUTF8Mailbox from RFC 8398 to RFC 9598; and Small text corrections in the Reference section

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).