From d820f37f9e1550805c210dcaf5162b7f86ccfb69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Wed, 2 Oct 2024 17:45:19 +0300 Subject: [PATCH] SC-077: Update WebTrust Audit name in Section 8.4 and References (#514) (#543) * SC-077: Update WebTrust Audit name in Section 8.4 and References (#514) * Add updated WebTrust Audit name Update 8.4 to reference updated WebTrust document names * Update BR.md --------- Co-authored-by: Clint Wilson * Update BR.md New TLS BRs version according to ballot SC77 --------- Co-authored-by: Clint Wilson Co-authored-by: Clint Wilson --- docs/BR.md | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index d9b61fc5..f8bdab1e 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1,11 +1,11 @@ --- title: Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates -subtitle: Version 2.0.7 +subtitle: Version 2.0.8 author: - CA/Browser Forum -date: 6-September-2024 +date: 2-October-2024 @@ -144,6 +144,7 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2.0.5 | SC73 | Compromised and weak keys | 3-May-2024 | 1-July-2024 | | 2.0.6 | SC75 | Pre-sign linting | 28-June-2024 | 6-August-2024 | | 2.0.7 | SC67 | Require Multi-Perspective Issuance Corroboration | 2-August-2024 | 6-September-2024 | +| 2.0.8 | SC77 | Update WebTrust Audit name in Section 8.4 and References | 2-September-2024 | 2-October-2024 | \* Effective Date and Additionally Relevant Compliance Date(s) @@ -614,6 +615,8 @@ RFC8954, Request for Comments: 8954, Online Certificate Status Protocol (OCSP) N WebTrust for Certification Authorities, SSL Baseline with Network Security, available at +[WebTrust Principles and Criteria for Certification Authorities – SSL Baseline](https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria) + X.509, Recommendation ITU-T X.509 (08/2005) \| ISO/IEC 9594-8:2005, Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks. ### 1.6.4 Conventions @@ -3496,11 +3499,16 @@ The CA's audit SHALL be performed by a Qualified Auditor. A Qualified Auditor me The CA SHALL undergo an audit in accordance with one of the following schemes: -1. "WebTrust for CAs v2.1 or newer" AND "WebTrust for CAs SSL Baseline with Network Security v2.3 or newer"; or -2. ETSI EN 319 411-1 v1.2.2, which includes normative references to ETSI EN 319 401 (the latest version of the referenced ETSI documents should be applied); or -3. If a Government CA is required by its Certificate Policy to use a different internal audit scheme, it MAY use such scheme provided that the audit either - a. encompasses all requirements of one of the above schemes or - b. consists of comparable criteria that are available for public review. +1. WebTrust: + * "Principles and Criteria for Certification Authorities" Version 2.2 or newer; and either + * "WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security" Version 2.7 or newer; or + * "WebTrust Principles and Criteria for Certification Authorities – SSL Baseline" Version 2.8 or newer and "WebTrust Principles and Criteria for Certification Authorities – Network Security" Version 1.0 or newer +2. ETSI: + * ETSI EN 319 411-1 v1.4.1 or newer, which includes normative references to ETSI EN 319 401 (the latest version of the referenced ETSI documents should be applied); or +3. Other: + * If a Government CA is required by its Certificate Policy to use a different internal audit scheme, it MAY use such scheme provided that the audit either + a. encompasses all requirements of one of the above schemes; or + b. consists of comparable criteria that are available for public review. Whichever scheme is chosen, it MUST incorporate periodic monitoring and/or accountability procedures to ensure that its audits continue to be conducted in accordance with the requirements of the scheme.