Auditor view about ETSI and WebTrust criteria Christoph SUTTER
Outline 1. Conformity Assessment (in general) relevant standards criteria / normative document certification object (here certification service of CA) auditor / assessor; certification body / conformity assessment body 2. Criteria for CA Conformity Assessment ETSI TS 102 042, V2.2.1 (11 2011) and WebTrust for CA, V2.0 (03 2011) from CICA EV Guidelines & Baseline Requirements from CA/Browser Forum 3. Responsibilities of the Players CA, auditor, certification body, editor of the criteria background: successful attacks on CA 4. Summary 1
Conformity Assessment: Relevant Standards EN 45011:1998 General requirements for bodies operating product certification systems (ISO/IEC Guide 65:1996) currently under revision as ISO/IEC DIS 17065: Conformity assessment - Requirements for bodies certifying products, processes and services ISO/IEC 17021:2011 Conformity assessment - Requirements for bodies providing audit and certification of management systems ISO/IEC 17007:2009 Conformity assessment - Guidance for drafting normative documents suitable for use for conformity assessment 2
5 Principles of ISO/IEC 17007 for drafting normative documents 1. separation of specified requirements for the object of conformity assessment from specified requirements related to conformity assessment activities 2. neutrality towards parties performing conformity assessment activities possibility of first, second or third party assessment 3. functional approach to conformity assessment selection (object and requirements), determination (e. g. test, audit and/or examination), review and attestation, surveillance (if needed) 4. comparability of conformity assessment results 5. good practice in conformity assessment use of international standard, best practices etc. 3
Scopes of ISO/IEC 17021 & 17065 ISO/IEC 17021 Certification Scope Management Systems e. g. quality (9001), information security (27001), etc. ISO/IEC DIS 17065 Certification Scope Products (results of a process), e. g. software etc. Processes (set of interrelated activities which transforms inputs into outputs), e. g. tempering of steel cylinders Services (result of at least one activity performed at the interface between the supplier and the customer ) e. g. delivery of an intangible product (remark: ISO/IEC DIS 17065 requirements on conformity assessment of products, processes and services are identical) 4
Conformity Assessment: ISO/IEC 17021, 17065 Principles impartiality, competence, responsibility, confidentiality, responsiveness to complaints General Requirements legal / contractual, management of impartiality, liability and financing, non-discriminatory conditions Structural Requirements organisational including top management, impartiality Resource Requirements management, personal, outsourcing Information Requirements (see next slide) Process Requirements (see next slide) Management System Requirements (e. g. ISO 9001) 5
ISO/IEC 17021, 17065 selected requirements Information Requirements include requirements for: publicly available information on certification processes, certification conditions, standards, etc. list with all certificates including names of certified objects, the normative document, the scope and the validity period Process Requirements audit of management systems (ISO 17021) evaluation of products, processes and services (ISO 17065) review and certification decision re-certification certification, surveillance suspension, certificate withdrawal, scope reduction appeals and complaints records of applicants and clients 6
Conformity Assessment for Certification Authorities (CA) normative documents (criteria) ETSI TS 102 042, TS 101 456, TS 102 023 WebTrust for CA EV guidelines, baseline requirements certification i object: certification i service of CA certification / conformity assessment body is accredited to either EN 45011 (ISO/IEC DIS 17065) or ISO/IEC 17021 with a certification scope that includes the relevant standards 7
Certification Body y( (CB) Accreditation (example) National Accreditation Body (now) DAkkS in Germany member of EA and IAF publishes accredited bodies Name of Certification Body Accreditation Standard EN 45011 / ISO Guide 65 Scope: IT Security Validity: 5 years Appendix with 2 pages 8
Certification Body Accreditation Accreditation Certificate Appendix 1 Scope IT Security means: ITSEC, CC / ISO 15408 ETSI TS 101 456, TS 102 042, TS 102 023 Accreditation Certificate Appendix 2 names of responsible persons for test reports disclaimer: i The accreditation is valid for products which are not mandatory to be tested, certified and/or inspected by third parties. 9
Auditors & Certification Bodies view on ETSI TS 102 042 and WebTrust for CA Criteria both are normative documents (criteria) in the sense of ISO/IEC 17007 both do not describe management systems as Plan-Do-Check-Act (PDCA) cycle is missing ETSI contains 5 quality levels LCP, NCP(+), EVCP(+) called certificate policies WT has different requirements for EV and quality level needs to be described in CP/CPS WT contains detailed illustrative controls ETSI is partly more extensive than WT (without illustrative controls) -> see examples on next slides 10
ETSI and WT Criteria Examples: 1. CA Key Generation HSM requirements q ETSI LCP: FIPS PUB 140 level 2 or ISO 15408 evaluated product ETSI NCP (+): FIPS PUB 140 level 3 or ISO 15408 evaluated product with risk analysis or CWA 14167 WT: generation of CA keys occur within cryptographic modules meeting the applicable technical and business requirements as disclosed in the CA s CPS WT illustrative controls: Generation of CA keys occur within a cryptographic module meeting the applicable requirements of ISO 15782-1/FIPS 140-2 (or equivalent)/ansi X9.66 plus many additional hints 11
ETSI and WT Criteria Examples: 2. Certificate Revocation and Suspension revocation management ETSI LCP: 72 hours between receipt of revocation request and availability of (changed) status information ETSI NCP(+): 24 hours between receipt of revocation request and availability a ab of (changed) status information o WT: certificates are revoked within the time frame as specified in CPS WT illustrative controls: no further hints regarding time delay 12
ETSI and WT Criteria Examples: 3. CA Management and Operation System Access Management ETSI: generic requirements, e. g. controls for protection of network domains protection against unauthorised access and modification secure account management identification & authentication before critical operations accountability of CA personnel continuous monitoring and alarm facilities WT: even more generic but additional illustrative controls: e. g.: Users are required to follow defined policies and procedures in the selection and use of passwords. 13
Responsibilities of the Players 1. Certification Authority (CA) The client organization, not the certification body, has the responsibility for conformity with the requirements for certification. (ISO/IEC 17021 / 17065): 2. Certification Body (Conformity Assessment Body) The certification body has the responsibility to assess sufficient objective evidence upon which to base a certification decision. (ISO/IEC 17021 / 17065): 3. Editor of the Criteria (ETSI, CICA, CA/B Forum) responsible that criteria fits to need of interested parties concerning security and business 14
Some public findings from Attacks on CAs in 2011 1. guessable passwords, ex.: Pr0d@dm1n 2. no (current) virus detection 3. missing i separation of network domains 4. intrusion detection is not working 5. no centralised protected storage of log files 6. old software version (patches) 7. (false) certificates could be sent out 8. => What can be improved in the audit process??? 15
Three Propositions for Improvements 1. audit should specially focus on checking system access management requirements, e. g. analysis of the network structure mandatory penetration testing remote access possibilities (including RAs) 2. information about attacks and best practices for protection ti should be exchanged between CA and Certification/Audit Bodies 3. transparency and information in case of security breaches 16
Summary conformity assessment is a suitable and powerful framework for assessing the security of CAs ETSI & WebTrust Criteria provide a valuable basis for conformity assessment that can be enhanced by additional criteria like the ones from CA/Browser Forum (EV Guidelines and Baseline Requirements) information exchange between CA and conformity assessment bodies is needed to learn from the past and improve the overall security levell 17
Thank you very much for your attention! TÜV Informationstechnik GmbH Member of TÜV NORD Group Dr. Christoph SUTTER Division Manager IT Infrastructure Langemarckstrasse 20 45141 Essen, Germany Phone: +49 201 8999 582 Fax: +49 201 8999 555 E-Mail: C.Sutter@tuvit.de URL: www.tuvit.net 18