Auditor view about ETSI and WebTrust criteria. Christoph SUTTER

Transcription

1 Auditor view about ETSI and WebTrust criteria Christoph SUTTER

2 Outline 1. Conformity Assessment (in general) relevant standards criteria / normative document certification object (here certification service of CA) auditor / assessor; certification body / conformity assessment body 2. Criteria for CA Conformity Assessment ETSI TS , V2.2.1 ( ) and WebTrust for CA, V2.0 ( ) from CICA EV Guidelines & Baseline Requirements from CA/Browser Forum 3. Responsibilities of the Players CA, auditor, certification body, editor of the criteria background: successful attacks on CA 4. Summary 1

3 Conformity Assessment: Relevant Standards EN 45011:1998 General requirements for bodies operating product certification systems (ISO/IEC Guide 65:1996) currently under revision as ISO/IEC DIS 17065: Conformity assessment - Requirements for bodies certifying products, processes and services ISO/IEC 17021:2011 Conformity assessment - Requirements for bodies providing audit and certification of management systems ISO/IEC 17007:2009 Conformity assessment - Guidance for drafting normative documents suitable for use for conformity assessment 2

4 5 Principles of ISO/IEC for drafting normative documents 1. separation of specified requirements for the object of conformity assessment from specified requirements related to conformity assessment activities 2. neutrality towards parties performing conformity assessment activities possibility of first, second or third party assessment 3. functional approach to conformity assessment selection (object and requirements), determination (e. g. test, audit and/or examination), review and attestation, surveillance (if needed) 4. comparability of conformity assessment results 5. good practice in conformity assessment use of international standard, best practices etc. 3

5 Scopes of ISO/IEC & ISO/IEC Certification Scope Management Systems e. g. quality (9001), information security (27001), etc. ISO/IEC DIS Certification Scope Products (results of a process), e. g. software etc. Processes (set of interrelated activities which transforms inputs into outputs), e. g. tempering of steel cylinders Services (result of at least one activity performed at the interface between the supplier and the customer ) e. g. delivery of an intangible product (remark: ISO/IEC DIS requirements on conformity assessment of products, processes and services are identical) 4

6 Conformity Assessment: ISO/IEC 17021, Principles impartiality, competence, responsibility, confidentiality, responsiveness to complaints General Requirements legal / contractual, management of impartiality, liability and financing, non-discriminatory conditions Structural Requirements organisational including top management, impartiality Resource Requirements management, personal, outsourcing Information Requirements (see next slide) Process Requirements (see next slide) Management System Requirements (e. g. ISO 9001) 5

7 ISO/IEC 17021, selected requirements Information Requirements include requirements for: publicly available information on certification processes, certification conditions, standards, etc. list with all certificates including names of certified objects, the normative document, the scope and the validity period Process Requirements audit of management systems (ISO 17021) evaluation of products, processes and services (ISO 17065) review and certification decision re-certification certification, surveillance suspension, certificate withdrawal, scope reduction appeals and complaints records of applicants and clients 6

8 Conformity Assessment for Certification Authorities (CA) normative documents (criteria) ETSI TS , TS , TS WebTrust for CA EV guidelines, baseline requirements certification i object: certification i service of CA certification / conformity assessment body is accredited to either EN (ISO/IEC DIS 17065) or ISO/IEC with a certification scope that includes the relevant standards 7

9 Certification Body y( (CB) Accreditation (example) National Accreditation Body (now) DAkkS in Germany member of EA and IAF publishes accredited bodies Name of Certification Body Accreditation Standard EN / ISO Guide 65 Scope: IT Security Validity: 5 years Appendix with 2 pages 8

10 Certification Body Accreditation Accreditation Certificate Appendix 1 Scope IT Security means: ITSEC, CC / ISO ETSI TS , TS , TS Accreditation Certificate Appendix 2 names of responsible persons for test reports disclaimer: i The accreditation is valid for products which are not mandatory to be tested, certified and/or inspected by third parties. 9

11 Auditors & Certification Bodies view on ETSI TS and WebTrust for CA Criteria both are normative documents (criteria) in the sense of ISO/IEC both do not describe management systems as Plan-Do-Check-Act (PDCA) cycle is missing ETSI contains 5 quality levels LCP, NCP(+), EVCP(+) called certificate policies WT has different requirements for EV and quality level needs to be described in CP/CPS WT contains detailed illustrative controls ETSI is partly more extensive than WT (without illustrative controls) -> see examples on next slides 10

12 ETSI and WT Criteria Examples: 1. CA Key Generation HSM requirements q ETSI LCP: FIPS PUB 140 level 2 or ISO evaluated product ETSI NCP (+): FIPS PUB 140 level 3 or ISO evaluated product with risk analysis or CWA WT: generation of CA keys occur within cryptographic modules meeting the applicable technical and business requirements as disclosed in the CA s CPS WT illustrative controls: Generation of CA keys occur within a cryptographic module meeting the applicable requirements of ISO /FIPS (or equivalent)/ansi X9.66 plus many additional hints 11

13 ETSI and WT Criteria Examples: 2. Certificate Revocation and Suspension revocation management ETSI LCP: 72 hours between receipt of revocation request and availability of (changed) status information ETSI NCP(+): 24 hours between receipt of revocation request and availability a ab of (changed) status information o WT: certificates are revoked within the time frame as specified in CPS WT illustrative controls: no further hints regarding time delay 12

14 ETSI and WT Criteria Examples: 3. CA Management and Operation System Access Management ETSI: generic requirements, e. g. controls for protection of network domains protection against unauthorised access and modification secure account management identification & authentication before critical operations accountability of CA personnel continuous monitoring and alarm facilities WT: even more generic but additional illustrative controls: e. g.: Users are required to follow defined policies and procedures in the selection and use of passwords. 13

15 Responsibilities of the Players 1. Certification Authority (CA) The client organization, not the certification body, has the responsibility for conformity with the requirements for certification. (ISO/IEC / 17065): 2. Certification Body (Conformity Assessment Body) The certification body has the responsibility to assess sufficient objective evidence upon which to base a certification decision. (ISO/IEC / 17065): 3. Editor of the Criteria (ETSI, CICA, CA/B Forum) responsible that criteria fits to need of interested parties concerning security and business 14

16 Some public findings from Attacks on CAs in guessable passwords, ex.: 2. no (current) virus detection 3. missing i separation of network domains 4. intrusion detection is not working 5. no centralised protected storage of log files 6. old software version (patches) 7. (false) certificates could be sent out 8. => What can be improved in the audit process??? 15

17 Three Propositions for Improvements 1. audit should specially focus on checking system access management requirements, e. g. analysis of the network structure mandatory penetration testing remote access possibilities (including RAs) 2. information about attacks and best practices for protection ti should be exchanged between CA and Certification/Audit Bodies 3. transparency and information in case of security breaches 16

18 Summary conformity assessment is a suitable and powerful framework for assessing the security of CAs ETSI & WebTrust Criteria provide a valuable basis for conformity assessment that can be enhanced by additional criteria like the ones from CA/Browser Forum (EV Guidelines and Baseline Requirements) information exchange between CA and conformity assessment bodies is needed to learn from the past and improve the overall security levell 17

19 Thank you very much for your attention! TÜV Informationstechnik GmbH Member of TÜV NORD Group Dr. Christoph SUTTER Division Manager IT Infrastructure Langemarckstrasse Essen, Germany Phone: Fax: URL: 18