auditor view about etsi and webtrust...

Auditor view about ETSI and WebTrust criteria

Christoph SUTTER

Outline

1. Conformity Assessment (in general)y ( g )relevant standardscriteria / normative documentcertification object (here certification service of CA)auditor / assessor; certification body / conformity assessment body

2 Criteria for CA Conformity Assessment2. Criteria for CA Conformity AssessmentETSI TS 102 042, V2.2.1 (11’2011) and WebTrust for CA V2 0 (03’2011) from CICAWebTrust for CA, V2.0 (03 2011) from CICAEV Guidelines & Baseline Requirements from CA/Browser Forum

3. Responsibilities of the Playersp yCA, auditor, certification body, editor of the criteria background: successful attacks on CA

4. Summary1/25/2012 1© TÜV Informationstechnik GmbH – Member of TÜV NORD Group

Conformity Assessment: Relevant Standards

EN 45011:1998

y

General requirements for bodies operating product certification systems (ISO/IEC Guide 65:1996)currently under revision as ISO/IEC DIS 17065: Conformity assessment - Requirements for bodies certifying products, processes and servicesp , p

ISO/IEC 17021:2011 Conformity assessment - Requirements for bodies providing y q p gaudit and certification of management systems

ISO/IEC 17007:2009Conformity assessment - Guidance for drafting normative documents suitable for use for conformity assessmentdocuments suitable for use for conformity assessment

1/25/2012 2© TÜV Informationstechnik GmbH – Member of TÜV NORD Group

5 Principles of ISO/IEC 17007for drafting normative documents

1. separation of specified requirements for the object of

for drafting normative documents

1. separation of specified requirements for the object of conformity assessment from specified requirements related to conformity assessment activitiesy

2. neutrality towards parties performing conformity assessment activities

possibility of first, second or third party assessment

3. functional approach to conformity assessment3. functional approach to conformity assessmentselection (object and requirements), determination (e. g. test, audit and/or examination), review and attestation, surveillance (if needed)

4. comparability of conformity assessment results5. good practice in conformity assessmentg p y

use of international standard, best practices etc.1/25/2012 3© TÜV Informationstechnik GmbH – Member of TÜV NORD Group

Scopes of ISO/IEC 17021 & 17065

ISO/IEC 17021 Certification Scope

p

pManagement Systemse. g. quality (9001), information security (27001), etc.

ISO/IEC DIS 17065 Certification Scope Products (results of a process), e. g. software etc. ( p ), gProcesses (set of interrelated activities which transforms inputs into outputs), e. g. tempering of steel cylinders Services (result of at least one activity performed at the interface between the supplier and the customer…) e. g. delivery of an intangible productdelivery of an intangible product

(remark: ISO/IEC DIS 17065 requirements on conformity assessment of products, processes and servicesassessment of products, processes and services are identical)


Conformity Assessment: ISO/IEC 17021, 17065

Principles

y

impartiality, competence, responsibility, confidentiality, responsiveness to complaints

General RequirementsGeneral Requirementslegal / contractual, management of impartiality, liability and financing, non-discriminatory conditions

Structural Requirementsorganisational including top management, impartiality

Resource Requirements management, personal, outsourcing

I f ti R i t ( t lid )Information Requirements (see next slide)Process Requirements (see next slide)Management S stem Req irements (e g ISO 9001)Management System Requirements (e. g. ISO 9001)


ISO/IEC 17021, 17065 selected requirements

Information Requirements include requirements for:

q

q qpublicly available information on certification processes, certification conditions, standards, etc.list with all certificates including names of certified objects, the normative document, the scope and the validity period

Process RequirementsProcess Requirements audit of management systems (ISO 17021)evaluation of products processes and services (ISO 17065)evaluation of products, processes and services (ISO 17065)review and certification decisionre-certification surveillancere certification, surveillancesuspension, certificate withdrawal, scope reductionappeals and complaintspp precords of applicants and clients


Conformity Assessment for Certification Authorities (CA)

normative documents (criteria)

Certification Authorities (CA)

normative documents (criteria)ETSI TS 102 042, TS 101 456, TS 102 023WebTrust for CAWebTrust for CAEV guidelines, baseline requirements

ifi i bj ifi i i f CAcertification object: certification service of CAcertification / conformity assessment body is accredited to either

EN 45011 (ISO/IEC DIS 17065) or( )ISO/IEC 17021

with a certification scope that includes the relevantwith a certification scope that includes the relevant standards


Certification Body (CB) Accreditation (example)

National Accreditation Body

y ( ) ( p )

National Accreditation Body(now) DAkkS in Germanymember of EA and IAFmember of EA and IAFpublishes accredited bodies

Name of Certification BodyAccreditation Standard

EN 45011 / ISO Guide 65

Scope: IT SecurityScope: IT SecurityValidity: 5 yearsAppendix with 2 pages


Certification Body Accreditation

Accreditation Certificate Appendix 1

y

Accreditation Certificate Appendix 1Scope IT Security means:

ITSEC CC / ISO 15408ITSEC, CC / ISO 15408ETSI TS 101 456, TS 102 042, TS 102 023

Accreditation Certificate Appendix 2Accreditation Certificate Appendix 2names of responsible persons for test reportsdi l idisclaimer:„The accreditation is valid for products which are not mandatory to be tested certified and/or inspected by thirdmandatory to be tested, certified and/or inspected by third parties.”


Auditors & Certification Bodies view on ETSI TS 102 042 and WebTrust for CA Criteria

both are normative documents (criteria) in the

ETSI TS 102 042 and WebTrust for CA Criteria

( )sense of ISO/IEC 17007both do not describe management systems asboth do not describe management systems as Plan-Do-Check-Act (PDCA) cycle is missingETSI contains 5 quality levels LCP, NCP(+),ETSI contains 5 quality levels LCP, NCP( ), EVCP(+) called certificate policiesWT has different requirements for EV and qualityWT has different requirements for EV and quality level needs to be described in CP/CPSWT contains detailed illustrative controlsWT contains detailed illustrative controlsETSI is partly more extensive than WT (without illustrative controls) -> see examples on next slidesillustrative controls) > see examples on next slides


ETSI and WT Criteria Examples: 1 CA Key Generation

HSM requirements

1. CA Key Generation

qETSI LCP: FIPS PUB 140 level 2 or ISO 15408 evaluated productETSI NCP (+): FIPS PUB 140 level 3 or ISO 15408 evaluated product with risk analysis or CWA 14167WT: „… generation of CA keys occur within cryptographic modules meeting the applicable technical and business requirements as disclosed in the CA’s CPS ”requirements as disclosed in the CAs CPS …WT illustrative controls:

“… Generation of CA keys occur within a cryptographic module… Generation of CA keys occur within a cryptographic module meeting the applicable requirements of ISO 15782-1/FIPS 140-2 (or equivalent)/ANSI X9.66…”plus many additional hintsplus many additional hints


ETSI and WT Criteria Examples: 2 Certificate Revocation and Suspension

revocation management

2. Certificate Revocation and Suspension

revocation managementETSI LCP: 72 hours between receipt of revocation request and availability of (changed) status informationrequest and availability of (changed) status informationETSI NCP(+): 24 hours between receipt of revocation request and availability of (changed) status informationeques a d a a ab y o (c a ged) s a us o a oWT: certificates are revoked within the time frame as specified in CPSpWT illustrative controls:

no further hints regarding time delayno further hints regarding time delay


ETSI and WT Criteria Examples: 3 CA Management and Operation

System Access Management

3. CA Management and Operation

System Access ManagementETSI: generic requirements, e. g.

controls for protection of network domainscontrols for protection of network domainsprotection against unauthorised access and modificationsecure account managementsecure account managementidentification & authentication before critical operationsaccountability of CA personnely pcontinuous monitoring and alarm facilities

WT: even more generic but additional illustrative controls:ge. g.: „Users are required to follow defined policies and procedures in the selection and use of passwords.”


Responsibilities of the Players

1. Certification Authority (CA)

p y

1. Certification Authority (CA)“The client organization, not the certification body, has the responsibility for conformity with the requirements forthe responsibility for conformity with the requirements for certification.” (ISO/IEC 17021 / 17065):

2 Certification Body (Conformity Assessment Body)2. Certification Body (Conformity Assessment Body)“The certification body has the responsibility to assess sufficient objective evidence upon which to base asufficient objective evidence upon which to base a certification decision.” (ISO/IEC 17021 / 17065):

3 Editor of the Criteria (ETSI CICA CA/B Forum)3. Editor of the Criteria (ETSI, CICA, CA/B Forum)responsible that criteria fits to need of interested parties concerning security and businessconcerning security and business


Some public findings from Attacks on CAs in 2011

1. guessable passwords, ex.: Pr0d@dm1n

p g

1. guessable passwords, ex.: Pr0d@dm1n2. no (current) virus detection3 i i ti f t k d i3. missing separation of network domains4. intrusion detection is not working5. no centralised protected storage of log files6 old software version (patches)6. old software version (patches)7. (false) certificates could be sent out8. …

=> What can be improved in the audit process???


=> What can be improved in the audit process???

Three Propositions for Improvements

1. audit should specially focus on checking system

p p

1. audit should specially focus on checking system access management requirements, e. g.

analysis of the network structureanalysis of the network structuremandatory penetration testing remote access possibilities (incl ding RAs)remote access possibilities (including RAs)

2. information about attacks and best practices for t ti h ld b h d b t CA dprotection should be exchanged between CA and

Certification/Audit Bodies3. transparency and information in case of security

breaches


Summary

conformity assessment is a suitable and powerful

y

conformity assessment is a suitable and powerful framework for assessing the security of CAsETSI & WebTrust Criteria provide a valuable basisETSI & WebTrust Criteria provide a valuable basis for conformity assessment that can be enhanced by additional criteria like the ones from CA/Browseradditional criteria like the ones from CA/Browser Forum (EV Guidelines and Baseline Requirements)i f ti h b t CA d f itinformation exchange between CA and conformity assessment bodies is needed to learn from the past

d i th ll it l land improve the overall security level


Thank you very much for your attention!

TÜV Informationstechnik GmbH

y y y

TÜV Informationstechnik GmbHMember of TÜV NORD Group

Dr. Christoph SUTTERDivision Manager IT Infrastructure

Langemarckstrasse 2045141 Essen, Germany

Phone: +49 201 8999 – 582Fax: +49 201 8999 – 555Fax: +49 201 8999 555E-Mail: [email protected]: www.tuvit.net


auditor view about etsi and webtrust...

Documents