SlideShare a Scribd company logo

Trust Service Providers: Self-Regulatory Processes

CASCouncil
CASCouncil

Ben Wilson, JD CISSP DigiCert & CA/Browser Forum

TechnologyBusiness
1 of 9
Download to read offline
Ben Wilson, JD CISSP DigiCert & CA/Browser Forum
1995 - 1996 –BS 7799 - EU Recommendation - Information Technology Security Evaluation Criteria (ITSEC), ABA Digital Signature Guidelines 1997-1999 – ETSI Guide - Trusted Third Parties, CP/CPS framework (ISO/TC68/SC 2 / RFC 2527), Gatekeeper CS2/CSPP for COTS Protection Profile 2000 -2003 – ANSI X9.79,WebTrust, ETSI TS 101 456, ISO 17799, ABA PKI Assessment Guidelines, ETSI TS 102 042 2005 - 2007 –CA / Browser Forum guidelines for EV SSL certificates, ISO 27001 and ISO 17799 -> ISO 27002 2011-2013 –ETSI TS 119 403 (EN 319 411-3), CABF Baseline Requirements, Security Requirements,WebTrust / ETSI, NIST Reference CP, and ENISA, ISO 27007/27008, etc.
Self-regulation as policy process:The multiple and criss-crossing stages of private rule-making, Tony Porter, McMaster University, Hamilton, Canada and Karsten Ronit, University of Copenhagen, Policy Sciences (2006) 39: 41–72 1. Agenda-setting 2. Problem-identification (Rules Drafting) 3. Decision Making 4. Implementation 5. Evaluation
1. Trust Service Provider (TSP) Agenda-setting  What problems do we want to solve?  What kinds of changes are needed? 2. Problem identification (Rulemaking) Identify problems in such a way that they can be addressed by modifications of practices, based on discussion or research of the existing standards of conduct that are deemed to be relevant.
Dependent heavily on:  Influence of government in agenda setting stage  Crafting a solution that is an incremental change to existing practice  Choosing the “best practice”  Great volumes of technical research (which sometimes can be arbitrary or political)  Feasibility – capabilities of government vs. those of the private sector
Is the proposed course of action appropriate? Will industry follow the recommended practice? Will industry be difficult to monitor?  TSP conduct - complex knowledge, dispersed behavior (Internet crosses international boundaries)  Continuum of public-private influence - there is an inflection point where government regulation reaches balance with private sector through communication and negotiation. Government must address whether self-regulation allows negative externalities to persist unchecked.
 Self-auditing and reporting play an important role. These mechanisms work where they have a degree of formality and sophistication.  Encourage voluntary compliance - Appeal to industry’s self-Interest in following best practices. Incentives and sanctions  “Education” is an important part of implementation.  “Education” can range from the publication of rules and “recommended practices on an association’s website, to rigorous certification processes involving extensive studying and testing.
 Private rule-making is radical departure because regulation is public in character  Private & public resources are often inadequate  Annual reports on audit/improvements are good  Problems must not become too severe before action taken -- failures need to be corrected.  Transparency important, but a smooth resolution of internal conflicts between public regulation and private self-regulation.
Address security vulnerabilities by gathering information and following up Rules, Decisions, Implementation, Evaluation Improve coordination amongst government,WebTrust, ETSI, and other key stakeholders Public-private coordination with industry Follow up with progress reports

Recommended

Nick Malyshev, Session 1
Nick Malyshev, Session 1Nick Malyshev, Session 1
Nick Malyshev, Session 1OECD Governance
 
David Winickoff, Session 1
David Winickoff, Session 1David Winickoff, Session 1
David Winickoff, Session 1OECD Governance
 
Packaging Trust Service Design
Packaging Trust Service DesignPackaging Trust Service Design
Packaging Trust Service DesignJan Chipchase
 
Role of a Qualified Trust Service Provider in Europe
Role of a Qualified Trust Service Provider in EuropeRole of a Qualified Trust Service Provider in Europe
Role of a Qualified Trust Service Provider in EuropeNamirial GmbH
 
Wealth Management Process
Wealth Management ProcessWealth Management Process
Wealth Management Processgabe001hcun
 
Citi Corporate Trust Services for Multilaterals in Latin America
Citi Corporate Trust Services for Multilaterals in Latin AmericaCiti Corporate Trust Services for Multilaterals in Latin America
Citi Corporate Trust Services for Multilaterals in Latin AmericaOmar Del Valle Colosio
 
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelCyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelPaul Di Gangi
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 

Recommended

Nick Malyshev, Session 1
Nick Malyshev, Session 1Nick Malyshev, Session 1
Nick Malyshev, Session 1OECD Governance
 
David Winickoff, Session 1
David Winickoff, Session 1David Winickoff, Session 1
David Winickoff, Session 1OECD Governance
 
Packaging Trust Service Design
Packaging Trust Service DesignPackaging Trust Service Design
Packaging Trust Service DesignJan Chipchase
 
Role of a Qualified Trust Service Provider in Europe
Role of a Qualified Trust Service Provider in EuropeRole of a Qualified Trust Service Provider in Europe
Role of a Qualified Trust Service Provider in EuropeNamirial GmbH
 
Wealth Management Process
Wealth Management ProcessWealth Management Process
Wealth Management Processgabe001hcun
 
Citi Corporate Trust Services for Multilaterals in Latin America
Citi Corporate Trust Services for Multilaterals in Latin AmericaCiti Corporate Trust Services for Multilaterals in Latin America
Citi Corporate Trust Services for Multilaterals in Latin AmericaOmar Del Valle Colosio
 
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelCyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelPaul Di Gangi
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 
Compliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersCompliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersLivin Jose
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.360factors
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
Rolly cloud policymakingprocess
Rolly cloud policymakingprocessRolly cloud policymakingprocess
Rolly cloud policymakingprocessrolly purnomo
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summarySensePost
 
5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On InternetAna Meskovska
 
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...FSR Communications and Media
 
Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011subramanian K
 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy FrameworksAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Chris Vanderweylan
Chris VanderweylanChris Vanderweylan
Chris Vanderweylanozewai
 
Srikanth Mangalam, Session 5
Srikanth Mangalam, Session 5Srikanth Mangalam, Session 5
Srikanth Mangalam, Session 5OECD Governance
 
CLEA, Maharg and Webb
CLEA, Maharg and WebbCLEA, Maharg and Webb
CLEA, Maharg and WebbYork University - Osgoode Hall Law School
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
Wimax and Sustainability strategies
Wimax and Sustainability strategiesWimax and Sustainability strategies
Wimax and Sustainability strategiesMario B.
 
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p... Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...Comisión de Regulación de Comunicaciones
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009asundaram1
 
Social Media For Utilities: Law and Practices
Social Media For Utilities: Law and PracticesSocial Media For Utilities: Law and Practices
Social Media For Utilities: Law and PracticesCarolyn Elefant
 
Governance Workgroup 9-3-10
Governance Workgroup 9-3-10Governance Workgroup 9-3-10
Governance Workgroup 9-3-10Brian Ahier
 
TechniClick - GWEA & EA Governance
TechniClick - GWEA & EA GovernanceTechniClick - GWEA & EA Governance
TechniClick - GWEA & EA Governanceguestea68b0
 
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastCASCouncil
 

More Related Content

Similar to Trust Service Providers: Self-Regulatory Processes

S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 
Compliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersCompliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersLivin Jose
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.360factors
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
Rolly cloud policymakingprocess
Rolly cloud policymakingprocessRolly cloud policymakingprocess
Rolly cloud policymakingprocessrolly purnomo
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summarySensePost
 
5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On InternetAna Meskovska
 
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...FSR Communications and Media
 
Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011subramanian K
 
Chris Vanderweylan
Chris VanderweylanChris Vanderweylan
Chris Vanderweylanozewai
 
Srikanth Mangalam, Session 5
Srikanth Mangalam, Session 5Srikanth Mangalam, Session 5
Srikanth Mangalam, Session 5OECD Governance
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
Wimax and Sustainability strategies
Wimax and Sustainability strategiesWimax and Sustainability strategies
Wimax and Sustainability strategiesMario B.
 
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p... Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...Comisión de Regulación de Comunicaciones
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009asundaram1
 
Social Media For Utilities: Law and Practices
Social Media For Utilities: Law and PracticesSocial Media For Utilities: Law and Practices
Social Media For Utilities: Law and PracticesCarolyn Elefant
 
Governance Workgroup 9-3-10
Governance Workgroup 9-3-10Governance Workgroup 9-3-10
Governance Workgroup 9-3-10Brian Ahier
 
TechniClick - GWEA & EA Governance
TechniClick - GWEA & EA GovernanceTechniClick - GWEA & EA Governance
TechniClick - GWEA & EA Governanceguestea68b0
 

Similar to Trust Service Providers: Self-Regulatory Processes (20)

S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
 
Compliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersCompliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centers
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standards
 
Rolly cloud policymakingprocess
Rolly cloud policymakingprocessRolly cloud policymakingprocess
Rolly cloud policymakingprocess
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
 
5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet
 
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
 
Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011
 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy Frameworks
 
Chris Vanderweylan
Chris VanderweylanChris Vanderweylan
Chris Vanderweylan
 
Srikanth Mangalam, Session 5
Srikanth Mangalam, Session 5Srikanth Mangalam, Session 5
Srikanth Mangalam, Session 5
 
CLEA, Maharg and Webb
CLEA, Maharg and WebbCLEA, Maharg and Webb
CLEA, Maharg and Webb
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
Wimax and Sustainability strategies
Wimax and Sustainability strategiesWimax and Sustainability strategies
Wimax and Sustainability strategies
 
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p... Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009
 
Social Media For Utilities: Law and Practices
Social Media For Utilities: Law and PracticesSocial Media For Utilities: Law and Practices
Social Media For Utilities: Law and Practices
 
Governance Workgroup 9-3-10
Governance Workgroup 9-3-10Governance Workgroup 9-3-10
Governance Workgroup 9-3-10
 
TechniClick - GWEA & EA Governance
TechniClick - GWEA & EA GovernanceTechniClick - GWEA & EA Governance
TechniClick - GWEA & EA Governance
 

More from CASCouncil

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastCASCouncil
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?CASCouncil
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowCASCouncil
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly CASCouncil
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor RollCASCouncil
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebCASCouncil
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CASCouncil
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumCASCouncil
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds TrustCASCouncil
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetCASCouncil
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebCASCouncil
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements CASCouncil
 
State of the Web
State of the WebState of the Web
State of the WebCASCouncil
 
Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!CASCouncil
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCASCouncil
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self RegulationCASCouncil
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of OpportunityCASCouncil
 

More from CASCouncil (20)

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the Past
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to know
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser Forum
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds Trust
 
CA Day 2014
CA Day 2014 CA Day 2014
CA Day 2014
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure Web
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
 
State of the Web
State of the WebState of the Web
State of the Web
 
Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm Shift
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self Regulation
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of Opportunity
 

Recently uploaded

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Recently uploaded (20)

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

Trust Service Providers: Self-Regulatory Processes

  • 1. Ben Wilson, JD CISSP DigiCert & CA/Browser Forum
  • 2. 1995 - 1996 –BS 7799 - EU Recommendation - Information Technology Security Evaluation Criteria (ITSEC), ABA Digital Signature Guidelines 1997-1999 – ETSI Guide - Trusted Third Parties, CP/CPS framework (ISO/TC68/SC 2 / RFC 2527), Gatekeeper CS2/CSPP for COTS Protection Profile 2000 -2003 – ANSI X9.79,WebTrust, ETSI TS 101 456, ISO 17799, ABA PKI Assessment Guidelines, ETSI TS 102 042 2005 - 2007 –CA / Browser Forum guidelines for EV SSL certificates, ISO 27001 and ISO 17799 -> ISO 27002 2011-2013 –ETSI TS 119 403 (EN 319 411-3), CABF Baseline Requirements, Security Requirements,WebTrust / ETSI, NIST Reference CP, and ENISA, ISO 27007/27008, etc.
  • 3. Self-regulation as policy process:The multiple and criss-crossing stages of private rule-making, Tony Porter, McMaster University, Hamilton, Canada and Karsten Ronit, University of Copenhagen, Policy Sciences (2006) 39: 41–72 1. Agenda-setting 2. Problem-identification (Rules Drafting) 3. Decision Making 4. Implementation 5. Evaluation
  • 4. 1. Trust Service Provider (TSP) Agenda-setting  What problems do we want to solve?  What kinds of changes are needed? 2. Problem identification (Rulemaking) Identify problems in such a way that they can be addressed by modifications of practices, based on discussion or research of the existing standards of conduct that are deemed to be relevant.
  • 5. Dependent heavily on:  Influence of government in agenda setting stage  Crafting a solution that is an incremental change to existing practice  Choosing the “best practice”  Great volumes of technical research (which sometimes can be arbitrary or political)  Feasibility – capabilities of government vs. those of the private sector
  • 6. Is the proposed course of action appropriate? Will industry follow the recommended practice? Will industry be difficult to monitor?  TSP conduct - complex knowledge, dispersed behavior (Internet crosses international boundaries)  Continuum of public-private influence - there is an inflection point where government regulation reaches balance with private sector through communication and negotiation. Government must address whether self-regulation allows negative externalities to persist unchecked.
  • 7.  Self-auditing and reporting play an important role. These mechanisms work where they have a degree of formality and sophistication.  Encourage voluntary compliance - Appeal to industry’s self-Interest in following best practices. Incentives and sanctions  “Education” is an important part of implementation.  “Education” can range from the publication of rules and “recommended practices on an association’s website, to rigorous certification processes involving extensive studying and testing.
  • 8.  Private rule-making is radical departure because regulation is public in character  Private & public resources are often inadequate  Annual reports on audit/improvements are good  Problems must not become too severe before action taken -- failures need to be corrected.  Transparency important, but a smooth resolution of internal conflicts between public regulation and private self-regulation.
  • 9. Address security vulnerabilities by gathering information and following up Rules, Decisions, Implementation, Evaluation Improve coordination amongst government,WebTrust, ETSI, and other key stakeholders Public-private coordination with industry Follow up with progress reports