- Current Public Key Infrastructure (PKI) Standards do not adequately consider Levels of’ Assurance'(“one size fits none”);
- There are PKI “Oligopolies’of’Trust”’ that limit cooperation between governing bodies, thereby impeding global interoperability;
- While there are many domain-specific PKI Authorities in place, there is need for more consistent security and auditing standards, policies and procedures that drive these entities;
- ISO 21188:2006 “Public key infrastructure for financial services – Practices and policy framework”, apart from its domain-specific focus, no longer represents current best practices;
- Security breaches in the Certification Authority (CA)/Browser space have occurred, causing ‘government agencies to recommend tighter network standards;
- There is wide variation among PKI governance bodies on the nature, purpose, timing and methodologies of a PKI Audit;
- Overarching PKI guidance is required to create greater consistency in governance practices and greater interoperability between domain-specific authorities.
The following represents a starter set of questions/topics that are proposed to be addressed by the Study Period.
- Do we need an ISO Certification Schema to help drive domain-specific needs?
- How would one define a LoA for a PKI?
- What standards unite disparate certificate types such as identity and SSL cert PKI systems?
- How can ISO emerge as a global leader in this space?
- How will PKI be affected by greater global focus and investment in cyber security?”
- What constitutes an auditable requirement/practice statement?
- Should all audits be consistent? Are there different types of PKI that need different kinds of’audit? Can they be characterized down to a few types?
- How does one change auditing culture (i.e., auditor as advocate for improvement vs. auditor as policeman)? Is it wise in all cases?
- What should be done about audit findings and by whom?
- How can ISO establish itself as a widely recognized global reference source for PKI audit?
- What should be the experience, qualifications for a Lead Auditor and Staff Audito in PKI?’
See experience from:
- ITUHT’Q11/17 Erik Anderson
- ETSI Standards and EU Standardisation of Trust Service Providers –Nick Pope (ETSI)
- ISACA (E-commerce and Public Key Infrastructure (PKI) Audit /Assurance Programme
- US Study Period Presentation based on the proposal SC27N12297
- ITU-T ‘Q11/17 Presentation-Planned PKI activities for ITU-T ‘Study Period 201342016
- ETSI Standards and EU Activities
- Special Report SR 001 604; Rationalised Framework for Electronic Signature
- EN 319 401: General Policy Requirements for Trust Service Providers supporting Electronic Signatures
- EN 319 411-2: Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Policy requirements for certification authorities issuing qualified certificates
- EN 319 411-3: Part 3: Policy Requirement for Certification Authorities issuing public key certificates
- Guidance for Auditors and CSPs on ETSI TS 102 042 for Issuing Publicly Trusted TLS/SSL
- Trust Service Provider Conformity Assessment General requirements and guidance
- JTC1 SC6 (ANS1/OID/Directories)
- ISACA – E-commerce and Public Key Infrastructur'(PKI) Audit/Assurance Programme
Make comments to this article in order to receive more info