SlideShare a Scribd company logo

Trust Service Providers: Self-Regulatory Processes

CASCouncil
CASCouncil

Ben Wilson, JD CISSP DigiCert & CA/Browser Forum

TechnologyBusiness
1 of 9
Download to read offline
Ben Wilson, JD CISSP DigiCert & CA/Browser Forum
1995 - 1996 –BS 7799 - EU Recommendation - Information Technology Security Evaluation Criteria (ITSEC), ABA Digital Signature Guidelines 1997-1999 – ETSI Guide - Trusted Third Parties, CP/CPS framework (ISO/TC68/SC 2 / RFC 2527), Gatekeeper CS2/CSPP for COTS Protection Profile 2000 -2003 – ANSI X9.79,WebTrust, ETSI TS 101 456, ISO 17799, ABA PKI Assessment Guidelines, ETSI TS 102 042 2005 - 2007 –CA / Browser Forum guidelines for EV SSL certificates, ISO 27001 and ISO 17799 -> ISO 27002 2011-2013 –ETSI TS 119 403 (EN 319 411-3), CABF Baseline Requirements, Security Requirements,WebTrust / ETSI, NIST Reference CP, and ENISA, ISO 27007/27008, etc.
Self-regulation as policy process:The multiple and criss-crossing stages of private rule-making, Tony Porter, McMaster University, Hamilton, Canada and Karsten Ronit, University of Copenhagen, Policy Sciences (2006) 39: 41–72 1. Agenda-setting 2. Problem-identification (Rules Drafting) 3. Decision Making 4. Implementation 5. Evaluation
1. Trust Service Provider (TSP) Agenda-setting  What problems do we want to solve?  What kinds of changes are needed? 2. Problem identification (Rulemaking) Identify problems in such a way that they can be addressed by modifications of practices, based on discussion or research of the existing standards of conduct that are deemed to be relevant.
Dependent heavily on:  Influence of government in agenda setting stage  Crafting a solution that is an incremental change to existing practice  Choosing the “best practice”  Great volumes of technical research (which sometimes can be arbitrary or political)  Feasibility – capabilities of government vs. those of the private sector
Is the proposed course of action appropriate? Will industry follow the recommended practice? Will industry be difficult to monitor?  TSP conduct - complex knowledge, dispersed behavior (Internet crosses international boundaries)  Continuum of public-private influence - there is an inflection point where government regulation reaches balance with private sector through communication and negotiation. Government must address whether self-regulation allows negative externalities to persist unchecked.
 Self-auditing and reporting play an important role. These mechanisms work where they have a degree of formality and sophistication.  Encourage voluntary compliance - Appeal to industry’s self-Interest in following best practices. Incentives and sanctions  “Education” is an important part of implementation.  “Education” can range from the publication of rules and “recommended practices on an association’s website, to rigorous certification processes involving extensive studying and testing.
 Private rule-making is radical departure because regulation is public in character  Private & public resources are often inadequate  Annual reports on audit/improvements are good  Problems must not become too severe before action taken -- failures need to be corrected.  Transparency important, but a smooth resolution of internal conflicts between public regulation and private self-regulation.
Address security vulnerabilities by gathering information and following up Rules, Decisions, Implementation, Evaluation Improve coordination amongst government,WebTrust, ETSI, and other key stakeholders Public-private coordination with industry Follow up with progress reports

Recommended

Nick Malyshev, Session 1
Nick Malyshev, Session 1Nick Malyshev, Session 1
Nick Malyshev, Session 1OECD Governance
 
David Winickoff, Session 1
David Winickoff, Session 1David Winickoff, Session 1
David Winickoff, Session 1OECD Governance
 
Packaging Trust Service Design
Packaging Trust Service DesignPackaging Trust Service Design
Packaging Trust Service DesignJan Chipchase
 
Role of a Qualified Trust Service Provider in Europe
Role of a Qualified Trust Service Provider in EuropeRole of a Qualified Trust Service Provider in Europe
Role of a Qualified Trust Service Provider in EuropeNamirial GmbH
 
Wealth Management Process
Wealth Management ProcessWealth Management Process
Wealth Management Processgabe001hcun
 
Citi Corporate Trust Services for Multilaterals in Latin America
Citi Corporate Trust Services for Multilaterals in Latin AmericaCiti Corporate Trust Services for Multilaterals in Latin America
Citi Corporate Trust Services for Multilaterals in Latin AmericaOmar Del Valle Colosio
 
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelCyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelPaul Di Gangi
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 

Recommended

Nick Malyshev, Session 1
Nick Malyshev, Session 1Nick Malyshev, Session 1
Nick Malyshev, Session 1OECD Governance
 
David Winickoff, Session 1
David Winickoff, Session 1David Winickoff, Session 1
David Winickoff, Session 1OECD Governance
 
Packaging Trust Service Design
Packaging Trust Service DesignPackaging Trust Service Design
Packaging Trust Service DesignJan Chipchase
 
Role of a Qualified Trust Service Provider in Europe
Role of a Qualified Trust Service Provider in EuropeRole of a Qualified Trust Service Provider in Europe
Role of a Qualified Trust Service Provider in EuropeNamirial GmbH
 
Wealth Management Process
Wealth Management ProcessWealth Management Process
Wealth Management Processgabe001hcun
 
Citi Corporate Trust Services for Multilaterals in Latin America
Citi Corporate Trust Services for Multilaterals in Latin AmericaCiti Corporate Trust Services for Multilaterals in Latin America
Citi Corporate Trust Services for Multilaterals in Latin AmericaOmar Del Valle Colosio
 
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelCyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelPaul Di Gangi
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 
Compliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersCompliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersLivin Jose
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.360factors
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
Rolly cloud policymakingprocess
Rolly cloud policymakingprocessRolly cloud policymakingprocess
Rolly cloud policymakingprocessrolly purnomo
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summarySensePost
 
5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On InternetAna Meskovska
 
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...FSR Communications and Media
 
Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011subramanian K
 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy FrameworksAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Chris Vanderweylan
Chris VanderweylanChris Vanderweylan
Chris Vanderweylanozewai
 
Srikanth Mangalam, Session 5
Srikanth Mangalam, Session 5Srikanth Mangalam, Session 5
Srikanth Mangalam, Session 5OECD Governance
 
CLEA, Maharg and Webb
CLEA, Maharg and WebbCLEA, Maharg and Webb
CLEA, Maharg and WebbYork University - Osgoode Hall Law School
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
Wimax and Sustainability strategies
Wimax and Sustainability strategiesWimax and Sustainability strategies
Wimax and Sustainability strategiesMario B.
 
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p... Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...Comisión de Regulación de Comunicaciones
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009asundaram1
 
Social Media For Utilities: Law and Practices
Social Media For Utilities: Law and PracticesSocial Media For Utilities: Law and Practices
Social Media For Utilities: Law and PracticesCarolyn Elefant
 
Governance Workgroup 9-3-10
Governance Workgroup 9-3-10Governance Workgroup 9-3-10
Governance Workgroup 9-3-10Brian Ahier
 
TechniClick - GWEA & EA Governance
TechniClick - GWEA & EA GovernanceTechniClick - GWEA & EA Governance
TechniClick - GWEA & EA Governanceguestea68b0
 
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastCASCouncil
 

More Related Content

Similar to Trust Service Providers: Self-Regulatory Processes

S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 
Compliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersCompliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersLivin Jose
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.360factors
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
Rolly cloud policymakingprocess
Rolly cloud policymakingprocessRolly cloud policymakingprocess
Rolly cloud policymakingprocessrolly purnomo
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summarySensePost
 
5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On InternetAna Meskovska
 
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...FSR Communications and Media
 
Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011subramanian K
 
Chris Vanderweylan
Chris VanderweylanChris Vanderweylan
Chris Vanderweylanozewai
 
Srikanth Mangalam, Session 5
Srikanth Mangalam, Session 5Srikanth Mangalam, Session 5
Srikanth Mangalam, Session 5OECD Governance
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
Wimax and Sustainability strategies
Wimax and Sustainability strategiesWimax and Sustainability strategies
Wimax and Sustainability strategiesMario B.
 
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p... Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...Comisión de Regulación de Comunicaciones
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009asundaram1
 
Social Media For Utilities: Law and Practices
Social Media For Utilities: Law and PracticesSocial Media For Utilities: Law and Practices
Social Media For Utilities: Law and PracticesCarolyn Elefant
 
Governance Workgroup 9-3-10
Governance Workgroup 9-3-10Governance Workgroup 9-3-10
Governance Workgroup 9-3-10Brian Ahier
 
TechniClick - GWEA & EA Governance
TechniClick - GWEA & EA GovernanceTechniClick - GWEA & EA Governance
TechniClick - GWEA & EA Governanceguestea68b0
 

Similar to Trust Service Providers: Self-Regulatory Processes (20)

S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
 
Compliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersCompliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centers
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standards
 
Rolly cloud policymakingprocess
Rolly cloud policymakingprocessRolly cloud policymakingprocess
Rolly cloud policymakingprocess
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
 
5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet
 
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
 
Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011
 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy Frameworks
 
Chris Vanderweylan
Chris VanderweylanChris Vanderweylan
Chris Vanderweylan
 
Srikanth Mangalam, Session 5
Srikanth Mangalam, Session 5Srikanth Mangalam, Session 5
Srikanth Mangalam, Session 5
 
CLEA, Maharg and Webb
CLEA, Maharg and WebbCLEA, Maharg and Webb
CLEA, Maharg and Webb
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
Wimax and Sustainability strategies
Wimax and Sustainability strategiesWimax and Sustainability strategies
Wimax and Sustainability strategies
 
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p... Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009
 
Social Media For Utilities: Law and Practices
Social Media For Utilities: Law and PracticesSocial Media For Utilities: Law and Practices
Social Media For Utilities: Law and Practices
 
Governance Workgroup 9-3-10
Governance Workgroup 9-3-10Governance Workgroup 9-3-10
Governance Workgroup 9-3-10
 
TechniClick - GWEA & EA Governance
TechniClick - GWEA & EA GovernanceTechniClick - GWEA & EA Governance
TechniClick - GWEA & EA Governance
 

More from CASCouncil

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastCASCouncil
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?CASCouncil
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowCASCouncil
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly CASCouncil
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor RollCASCouncil
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebCASCouncil
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CASCouncil
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumCASCouncil
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds TrustCASCouncil
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetCASCouncil
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebCASCouncil
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements CASCouncil
 
State of the Web
State of the WebState of the Web
State of the WebCASCouncil
 
Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!CASCouncil
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCASCouncil
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self RegulationCASCouncil
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of OpportunityCASCouncil
 

More from CASCouncil (20)

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the Past
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to know
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser Forum
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds Trust
 
CA Day 2014
CA Day 2014 CA Day 2014
CA Day 2014
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure Web
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
 
State of the Web
State of the WebState of the Web
State of the Web
 
Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm Shift
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self Regulation
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of Opportunity
 

Recently uploaded

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 

Recently uploaded (20)

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 

Trust Service Providers: Self-Regulatory Processes

  • 1. Ben Wilson, JD CISSP DigiCert & CA/Browser Forum
  • 2. 1995 - 1996 –BS 7799 - EU Recommendation - Information Technology Security Evaluation Criteria (ITSEC), ABA Digital Signature Guidelines 1997-1999 – ETSI Guide - Trusted Third Parties, CP/CPS framework (ISO/TC68/SC 2 / RFC 2527), Gatekeeper CS2/CSPP for COTS Protection Profile 2000 -2003 – ANSI X9.79,WebTrust, ETSI TS 101 456, ISO 17799, ABA PKI Assessment Guidelines, ETSI TS 102 042 2005 - 2007 –CA / Browser Forum guidelines for EV SSL certificates, ISO 27001 and ISO 17799 -> ISO 27002 2011-2013 –ETSI TS 119 403 (EN 319 411-3), CABF Baseline Requirements, Security Requirements,WebTrust / ETSI, NIST Reference CP, and ENISA, ISO 27007/27008, etc.
  • 3. Self-regulation as policy process:The multiple and criss-crossing stages of private rule-making, Tony Porter, McMaster University, Hamilton, Canada and Karsten Ronit, University of Copenhagen, Policy Sciences (2006) 39: 41–72 1. Agenda-setting 2. Problem-identification (Rules Drafting) 3. Decision Making 4. Implementation 5. Evaluation
  • 4. 1. Trust Service Provider (TSP) Agenda-setting  What problems do we want to solve?  What kinds of changes are needed? 2. Problem identification (Rulemaking) Identify problems in such a way that they can be addressed by modifications of practices, based on discussion or research of the existing standards of conduct that are deemed to be relevant.
  • 5. Dependent heavily on:  Influence of government in agenda setting stage  Crafting a solution that is an incremental change to existing practice  Choosing the “best practice”  Great volumes of technical research (which sometimes can be arbitrary or political)  Feasibility – capabilities of government vs. those of the private sector
  • 6. Is the proposed course of action appropriate? Will industry follow the recommended practice? Will industry be difficult to monitor?  TSP conduct - complex knowledge, dispersed behavior (Internet crosses international boundaries)  Continuum of public-private influence - there is an inflection point where government regulation reaches balance with private sector through communication and negotiation. Government must address whether self-regulation allows negative externalities to persist unchecked.
  • 7.  Self-auditing and reporting play an important role. These mechanisms work where they have a degree of formality and sophistication.  Encourage voluntary compliance - Appeal to industry’s self-Interest in following best practices. Incentives and sanctions  “Education” is an important part of implementation.  “Education” can range from the publication of rules and “recommended practices on an association’s website, to rigorous certification processes involving extensive studying and testing.
  • 8.  Private rule-making is radical departure because regulation is public in character  Private & public resources are often inadequate  Annual reports on audit/improvements are good  Problems must not become too severe before action taken -- failures need to be corrected.  Transparency important, but a smooth resolution of internal conflicts between public regulation and private self-regulation.
  • 9. Address security vulnerabilities by gathering information and following up Rules, Decisions, Implementation, Evaluation Improve coordination amongst government,WebTrust, ETSI, and other key stakeholders Public-private coordination with industry Follow up with progress reports