SlideShare a Scribd company logo

Trust Service Providers: Self-Regulatory Processes

CASCouncil
CASCouncil

Ben Wilson, JD CISSP DigiCert & CA/Browser Forum

TechnologyBusiness
1 of 9
Download to read offline
Ben Wilson, JD CISSP DigiCert & CA/Browser Forum
1995 - 1996 –BS 7799 - EU Recommendation - Information Technology Security Evaluation Criteria (ITSEC), ABA Digital Signature Guidelines 1997-1999 – ETSI Guide - Trusted Third Parties, CP/CPS framework (ISO/TC68/SC 2 / RFC 2527), Gatekeeper CS2/CSPP for COTS Protection Profile 2000 -2003 – ANSI X9.79,WebTrust, ETSI TS 101 456, ISO 17799, ABA PKI Assessment Guidelines, ETSI TS 102 042 2005 - 2007 –CA / Browser Forum guidelines for EV SSL certificates, ISO 27001 and ISO 17799 -> ISO 27002 2011-2013 –ETSI TS 119 403 (EN 319 411-3), CABF Baseline Requirements, Security Requirements,WebTrust / ETSI, NIST Reference CP, and ENISA, ISO 27007/27008, etc.
Self-regulation as policy process:The multiple and criss-crossing stages of private rule-making, Tony Porter, McMaster University, Hamilton, Canada and Karsten Ronit, University of Copenhagen, Policy Sciences (2006) 39: 41–72 1. Agenda-setting 2. Problem-identification (Rules Drafting) 3. Decision Making 4. Implementation 5. Evaluation
1. Trust Service Provider (TSP) Agenda-setting  What problems do we want to solve?  What kinds of changes are needed? 2. Problem identification (Rulemaking) Identify problems in such a way that they can be addressed by modifications of practices, based on discussion or research of the existing standards of conduct that are deemed to be relevant.
Dependent heavily on:  Influence of government in agenda setting stage  Crafting a solution that is an incremental change to existing practice  Choosing the “best practice”  Great volumes of technical research (which sometimes can be arbitrary or political)  Feasibility – capabilities of government vs. those of the private sector
Is the proposed course of action appropriate? Will industry follow the recommended practice? Will industry be difficult to monitor?  TSP conduct - complex knowledge, dispersed behavior (Internet crosses international boundaries)  Continuum of public-private influence - there is an inflection point where government regulation reaches balance with private sector through communication and negotiation. Government must address whether self-regulation allows negative externalities to persist unchecked.
 Self-auditing and reporting play an important role. These mechanisms work where they have a degree of formality and sophistication.  Encourage voluntary compliance - Appeal to industry’s self-Interest in following best practices. Incentives and sanctions  “Education” is an important part of implementation.  “Education” can range from the publication of rules and “recommended practices on an association’s website, to rigorous certification processes involving extensive studying and testing.
 Private rule-making is radical departure because regulation is public in character  Private & public resources are often inadequate  Annual reports on audit/improvements are good  Problems must not become too severe before action taken -- failures need to be corrected.  Transparency important, but a smooth resolution of internal conflicts between public regulation and private self-regulation.
Address security vulnerabilities by gathering information and following up Rules, Decisions, Implementation, Evaluation Improve coordination amongst government,WebTrust, ETSI, and other key stakeholders Public-private coordination with industry Follow up with progress reports

Recommended

Nick Malyshev, Session 1
Nick Malyshev, Session 1Nick Malyshev, Session 1
Nick Malyshev, Session 1OECD Governance
 
David Winickoff, Session 1
David Winickoff, Session 1David Winickoff, Session 1
David Winickoff, Session 1OECD Governance
 
Packaging Trust Service Design
Packaging Trust Service DesignPackaging Trust Service Design
Packaging Trust Service DesignJan Chipchase
 
Role of a Qualified Trust Service Provider in Europe
Role of a Qualified Trust Service Provider in EuropeRole of a Qualified Trust Service Provider in Europe
Role of a Qualified Trust Service Provider in EuropeNamirial GmbH
 
Wealth Management Process
Wealth Management ProcessWealth Management Process
Wealth Management Processgabe001hcun
 
Citi Corporate Trust Services for Multilaterals in Latin America
Citi Corporate Trust Services for Multilaterals in Latin AmericaCiti Corporate Trust Services for Multilaterals in Latin America
Citi Corporate Trust Services for Multilaterals in Latin AmericaOmar Del Valle Colosio
 
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelCyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelPaul Di Gangi
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 

Recommended

Nick Malyshev, Session 1
Nick Malyshev, Session 1Nick Malyshev, Session 1
Nick Malyshev, Session 1OECD Governance
 
David Winickoff, Session 1
David Winickoff, Session 1David Winickoff, Session 1
David Winickoff, Session 1OECD Governance
 
Packaging Trust Service Design
Packaging Trust Service DesignPackaging Trust Service Design
Packaging Trust Service DesignJan Chipchase
 
Role of a Qualified Trust Service Provider in Europe
Role of a Qualified Trust Service Provider in EuropeRole of a Qualified Trust Service Provider in Europe
Role of a Qualified Trust Service Provider in EuropeNamirial GmbH
 
Wealth Management Process
Wealth Management ProcessWealth Management Process
Wealth Management Processgabe001hcun
 
Citi Corporate Trust Services for Multilaterals in Latin America
Citi Corporate Trust Services for Multilaterals in Latin AmericaCiti Corporate Trust Services for Multilaterals in Latin America
Citi Corporate Trust Services for Multilaterals in Latin AmericaOmar Del Valle Colosio
 
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelCyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelPaul Di Gangi
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 
Compliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersCompliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersLivin Jose
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.360factors
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
Rolly cloud policymakingprocess
Rolly cloud policymakingprocessRolly cloud policymakingprocess
Rolly cloud policymakingprocessrolly purnomo
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summarySensePost
 
5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On InternetAna Meskovska
 
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...FSR Communications and Media
 
Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011subramanian K
 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy FrameworksAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Chris Vanderweylan
Chris VanderweylanChris Vanderweylan
Chris Vanderweylanozewai
 
Srikanth Mangalam, Session 5
Srikanth Mangalam, Session 5Srikanth Mangalam, Session 5
Srikanth Mangalam, Session 5OECD Governance
 
CLEA, Maharg and Webb
CLEA, Maharg and WebbCLEA, Maharg and Webb
CLEA, Maharg and WebbYork University - Osgoode Hall Law School
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
Wimax and Sustainability strategies
Wimax and Sustainability strategiesWimax and Sustainability strategies
Wimax and Sustainability strategiesMario B.
 
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p... Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...Comisión de Regulación de Comunicaciones
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009asundaram1
 
Social Media For Utilities: Law and Practices
Social Media For Utilities: Law and PracticesSocial Media For Utilities: Law and Practices
Social Media For Utilities: Law and PracticesCarolyn Elefant
 
Governance Workgroup 9-3-10
Governance Workgroup 9-3-10Governance Workgroup 9-3-10
Governance Workgroup 9-3-10Brian Ahier
 
TechniClick - GWEA & EA Governance
TechniClick - GWEA & EA GovernanceTechniClick - GWEA & EA Governance
TechniClick - GWEA & EA Governanceguestea68b0
 
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastCASCouncil
 

More Related Content

Similar to Trust Service Providers: Self-Regulatory Processes

S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 
Compliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersCompliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersLivin Jose
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.360factors
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
Rolly cloud policymakingprocess
Rolly cloud policymakingprocessRolly cloud policymakingprocess
Rolly cloud policymakingprocessrolly purnomo
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summarySensePost
 
5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On InternetAna Meskovska
 
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...FSR Communications and Media
 
Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011subramanian K
 
Chris Vanderweylan
Chris VanderweylanChris Vanderweylan
Chris Vanderweylanozewai
 
Srikanth Mangalam, Session 5
Srikanth Mangalam, Session 5Srikanth Mangalam, Session 5
Srikanth Mangalam, Session 5OECD Governance
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
Wimax and Sustainability strategies
Wimax and Sustainability strategiesWimax and Sustainability strategies
Wimax and Sustainability strategiesMario B.
 
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p... Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...Comisión de Regulación de Comunicaciones
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009asundaram1
 
Social Media For Utilities: Law and Practices
Social Media For Utilities: Law and PracticesSocial Media For Utilities: Law and Practices
Social Media For Utilities: Law and PracticesCarolyn Elefant
 
Governance Workgroup 9-3-10
Governance Workgroup 9-3-10Governance Workgroup 9-3-10
Governance Workgroup 9-3-10Brian Ahier
 
TechniClick - GWEA & EA Governance
TechniClick - GWEA & EA GovernanceTechniClick - GWEA & EA Governance
TechniClick - GWEA & EA Governanceguestea68b0
 

Similar to Trust Service Providers: Self-Regulatory Processes (20)

S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
 
Compliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersCompliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centers
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standards
 
Rolly cloud policymakingprocess
Rolly cloud policymakingprocessRolly cloud policymakingprocess
Rolly cloud policymakingprocess
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
 
5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet
 
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
Data Standardization: Implications for Competition Enforcement (Daniel L. Rub...
 
Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011
 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy Frameworks
 
Chris Vanderweylan
Chris VanderweylanChris Vanderweylan
Chris Vanderweylan
 
Srikanth Mangalam, Session 5
Srikanth Mangalam, Session 5Srikanth Mangalam, Session 5
Srikanth Mangalam, Session 5
 
CLEA, Maharg and Webb
CLEA, Maharg and WebbCLEA, Maharg and Webb
CLEA, Maharg and Webb
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
Wimax and Sustainability strategies
Wimax and Sustainability strategiesWimax and Sustainability strategies
Wimax and Sustainability strategies
 
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p... Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
Smart Policies: Uso de las TIC para mejorar la estructuración de políticas p...
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009
 
Social Media For Utilities: Law and Practices
Social Media For Utilities: Law and PracticesSocial Media For Utilities: Law and Practices
Social Media For Utilities: Law and Practices
 
Governance Workgroup 9-3-10
Governance Workgroup 9-3-10Governance Workgroup 9-3-10
Governance Workgroup 9-3-10
 
TechniClick - GWEA & EA Governance
TechniClick - GWEA & EA GovernanceTechniClick - GWEA & EA Governance
TechniClick - GWEA & EA Governance
 

More from CASCouncil

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastCASCouncil
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?CASCouncil
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowCASCouncil
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly CASCouncil
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor RollCASCouncil
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebCASCouncil
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CASCouncil
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumCASCouncil
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds TrustCASCouncil
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetCASCouncil
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebCASCouncil
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements CASCouncil
 
State of the Web
State of the WebState of the Web
State of the WebCASCouncil
 
Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!CASCouncil
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCASCouncil
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self RegulationCASCouncil
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of OpportunityCASCouncil
 

More from CASCouncil (20)

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the Past
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to know
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser Forum
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds Trust
 
CA Day 2014
CA Day 2014 CA Day 2014
CA Day 2014
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure Web
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
 
State of the Web
State of the WebState of the Web
State of the Web
 
Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm Shift
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self Regulation
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of Opportunity
 

Recently uploaded

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 

Recently uploaded (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

Trust Service Providers: Self-Regulatory Processes

  • 1. Ben Wilson, JD CISSP DigiCert & CA/Browser Forum
  • 2. 1995 - 1996 –BS 7799 - EU Recommendation - Information Technology Security Evaluation Criteria (ITSEC), ABA Digital Signature Guidelines 1997-1999 – ETSI Guide - Trusted Third Parties, CP/CPS framework (ISO/TC68/SC 2 / RFC 2527), Gatekeeper CS2/CSPP for COTS Protection Profile 2000 -2003 – ANSI X9.79,WebTrust, ETSI TS 101 456, ISO 17799, ABA PKI Assessment Guidelines, ETSI TS 102 042 2005 - 2007 –CA / Browser Forum guidelines for EV SSL certificates, ISO 27001 and ISO 17799 -> ISO 27002 2011-2013 –ETSI TS 119 403 (EN 319 411-3), CABF Baseline Requirements, Security Requirements,WebTrust / ETSI, NIST Reference CP, and ENISA, ISO 27007/27008, etc.
  • 3. Self-regulation as policy process:The multiple and criss-crossing stages of private rule-making, Tony Porter, McMaster University, Hamilton, Canada and Karsten Ronit, University of Copenhagen, Policy Sciences (2006) 39: 41–72 1. Agenda-setting 2. Problem-identification (Rules Drafting) 3. Decision Making 4. Implementation 5. Evaluation
  • 4. 1. Trust Service Provider (TSP) Agenda-setting  What problems do we want to solve?  What kinds of changes are needed? 2. Problem identification (Rulemaking) Identify problems in such a way that they can be addressed by modifications of practices, based on discussion or research of the existing standards of conduct that are deemed to be relevant.
  • 5. Dependent heavily on:  Influence of government in agenda setting stage  Crafting a solution that is an incremental change to existing practice  Choosing the “best practice”  Great volumes of technical research (which sometimes can be arbitrary or political)  Feasibility – capabilities of government vs. those of the private sector
  • 6. Is the proposed course of action appropriate? Will industry follow the recommended practice? Will industry be difficult to monitor?  TSP conduct - complex knowledge, dispersed behavior (Internet crosses international boundaries)  Continuum of public-private influence - there is an inflection point where government regulation reaches balance with private sector through communication and negotiation. Government must address whether self-regulation allows negative externalities to persist unchecked.
  • 7.  Self-auditing and reporting play an important role. These mechanisms work where they have a degree of formality and sophistication.  Encourage voluntary compliance - Appeal to industry’s self-Interest in following best practices. Incentives and sanctions  “Education” is an important part of implementation.  “Education” can range from the publication of rules and “recommended practices on an association’s website, to rigorous certification processes involving extensive studying and testing.
  • 8.  Private rule-making is radical departure because regulation is public in character  Private & public resources are often inadequate  Annual reports on audit/improvements are good  Problems must not become too severe before action taken -- failures need to be corrected.  Transparency important, but a smooth resolution of internal conflicts between public regulation and private self-regulation.
  • 9. Address security vulnerabilities by gathering information and following up Rules, Decisions, Implementation, Evaluation Improve coordination amongst government,WebTrust, ETSI, and other key stakeholders Public-private coordination with industry Follow up with progress reports