Prévia do material em texto
PKI Consulting Av. Borges de Medeiros, 2500/1402 Praia de Belas - Porto Alegre - RS 90110.150 Fone: (51) 3398 5740 www.pkiconsulting.com Independent Assurance Report To the Management of CAIXA ECONÔMICA FEDERAL – Certificate Authority: Scope We have been engaged, in a reasonable assurance engagement, to report on CAIXA ECONÔMICA FEDERAL (CAIXA-CA) management’s assertion, that for its Certification Authority (CA) services in Brazil for AC CAIXA and the subordinated CAs presented in the appendix A, during the period January 1st 2018 through December 31th 2018, CAIXA-CA has: • disclosed its Business, Key Life Cycle Management, Certificate Life Cycle Management, and CA Environmental Control practices in its: o Certification Practice Statement • maintained effective controls to provide reasonable assurance that: o CAIXA-CA’s Certification Practice Statement is consistent with its Certificate Policy o CAIXA-CA provides its services in accordance with its Certificate Policy and Certification Practice Statement • maintained effective controls to provide reasonable assurance that: o The integrity of keys and certificates it manages is established and protected throughout their life cycles; o The integrity of subscriber keys and certificates it manages is established and protected throughout their life cycles; o The Subscriber information is properly authenticated (for the registration activities performed by CAIXA-CA); and o Subordinate CA certificate requests are accurate, authenticated, and approved • maintained effective controls to provide reasonable assurance that: o Logical and physical access to CA systems and data was restricted to authorized individuals; o The continuity of key and certificate management operations was maintained; and o CA systems development, maintenance and operations were properly authorized and performed to maintain CA systems integrity. in accordance with the WebTrust Services Principles and Criteria for Certification Authorities, Version 2.1 CAIXA-CA makes use of external registration authorities for specific subscriber registration activities as disclosed in CAIXA-CA’s business practices. Our procedures did not extend to the controls exercised by these external registration authorities. CAIXA-CA does not escrow its CA keys, does not provide subscriber key generation services, and does not provide certificate suspension services. Accordingly, our procedures did not extend to controls that would address those criteria. Certification authority’s responsibilities CAIXA-CA’s management is responsible for its assertion, including the fairness of its presentation, and the provision of its described services in accordance with the WebTrust Services Principles and Criteria for Certification Authorities, Version 2.1 https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/principles-and-criteria-for-certification-authorities-v2-1.pdf?la=en&hash=7E2A90C62FA0BB6ED1580E8AA08405AF9346E85A https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/principles-and-criteria-for-certification-authorities-v2-1.pdf?la=en&hash=7E2A90C62FA0BB6ED1580E8AA08405AF9346E85A https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/principles-and-criteria-for-certification-authorities-v2-1.pdf?la=en&hash=7E2A90C62FA0BB6ED1580E8AA08405AF9346E85A https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/principles-and-criteria-for-certification-authorities-v2-1.pdf?la=en&hash=7E2A90C62FA0BB6ED1580E8AA08405AF9346E85A https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/principles-and-criteria-for-certification-authorities-v2-1.pdf?la=en&hash=7E2A90C62FA0BB6ED1580E8AA08405AF9346E85A https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/principles-and-criteria-for-certification-authorities-v2-1.pdf?la=en&hash=7E2A90C62FA0BB6ED1580E8AA08405AF9346E85A http://certificadodigital.caixa.gov.br/documentos/dpcac-caixa.pdf PKI Consulting Av. Borges de Medeiros, 2500/1402 Praia de Belas - Porto Alegre - RS 90110.150 Fone: (51) 3398 5740 www.pkiconsulting.com Our independence and quality control We have complied with the independence and other ethical requirements of the Code of Ethics for Professional Accountants issued by the International Ethics Standards Board for Accountants, which is founded on fundamental principles of integrity, objectivity, professional competence and due care confidentiality and professional behavior. The firm applies International Standard on Quality Control 1, and accordingly maintains a comprehensive system of quality control including documented policies and procedures regarding compliance with ethical requirements, professional standards and applicable legal and regulatory requirements. Auditor’s responsibilities Our responsibility is to express an opinion on management’s assertion based on our procedures. We conducted our procedures in accordance with International Standard on Assurance Engagements 3000, Assurance Engagements Other than Audits or Reviews of Historical Financial Information, issued by the International Auditing and Assurance Standards Board. This standard requires that we plan and perform our procedures to obtain reasonable assurance about whether, in all material respects, management’s assertion is fairly stated, and, accordingly, included: 1. obtaining an understanding of CAIXA-CA’s key and certificate life cycle management business practices and its controls over key and certificate integrity, over the authenticity and privacy of subscriber and relying party information, over the continuity of key and certificate life cycle management operations, and over development, maintenance, and operation of systems integrity; 2. selectively testing transactions executed in accordance with disclosed key and certificate life cycle management business practices; 3. testing and evaluating the operating effectiveness of the controls; and, 4. performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. CAIXA-CA’s makes use of external registration authorities for specific subscriber registration activities as disclosed in CAIXA-CA’s business practices. Our examination did not extend to the controls exercised by the external registration authorities. We believe that the evidence we have obtained is sufficient and appropriate to provide a basis for our opinion. Relative effectiveness of controls The relative effectiveness and significance of specific controls at CAIXA-CA and their effect on assessments of control risk for subscribers and relying parties are dependent on their interaction with the controls and other factors present at individual subscriber and relying party locations. We have performed no procedures to evaluate the effectiveness of controls at individual subscriber and relying party locations. Inherent limitations Because of the nature and inherent limitations of controls, CAIXA-CA’s ability to meet the aforementioned criteria may be affected. For example, controls may not prevent, or detect and correct, error, fraud, unauthorized access to systems and information or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the risk that changes may alter the validity of such conclusions. PKI Consulting Av. Borges de Medeiros, 2500/1402 Praia de Belas - Porto Alegre - RS 90110.150 Fone: (51) 3398 5740 www.pkiconsulting.com Emphasis on Matters CAIXA ECONÔMICA FEDERAL (CAIXA-CA) has reported a control deficiency on management’s assertion. For this deficiency, we performed additional procedures and were able to obtainreasonable assurance that the risks associated were mitigated during the audit period. Observation Relevant Webtrust Criteria Mitigating Procedure The CA did not perform integrated control of cryptographic media inventory at all distribution points (RAs) 5.3 If the CA (or RA) distributes subscriber key pairs and certificates using Integrated Circuit Cards (ICCs), the CA (or RA) maintains controls to provide reasonable assurance that: • ICC procurement, preparation and personalization are securely controlled by the CA (or RA or card bureau); • ICC Application Data File (ADF) preparation is securely controlled by the CA (or RA); • ICC usage is enabled by the CA (or RA or card bureau) prior to ICC issuance; • ICC deactivation and reactivation are securely controlled by the CA (or RA); • ICCs are securely stored and distributed by the CA (or RA or card bureau); • ICCs are securely replaced by the CA (or RA or card bureau); and • ICCs returned to the CA (or RA or card bureau) are securely terminated. During the audit, an inventory procedure was implemented that allows an unified view of where the media are situated, from acquisition to distribution, including in RAs. The CA did not consider systems development personnel as having a trusted role. 3.3 The CA maintains controls to provide reasonable assurance that personnel and employment practices enhance and support the trustworthiness of the CA’s operations. During the audit, CA included the developers of CA systems in the Trust Role Holders list. The CA included all their names in the Responsibility Matrix and made the necessary procedures, such as background checks, signature of a confidentiality (non- disclosure) agreement and other controls PKI Consulting Av. Borges de Medeiros, 2500/1402 Praia de Belas - Porto Alegre - RS 90110.150 Fone: (51) 3398 5740 www.pkiconsulting.com No mechanisms were in place to prevent obvious and weak passwords and to set minimum password length and password expiration on CA access control servers at both the main site and the contingency site 3.6.6 Users are required to follow defined policies and procedures in the selection and use of passwords. during the audit CAIXA-CA corrected the problem and provided evidence that the control was implemented on access control servers at both the main site and the contingency site. Opinion In our opinion, through the period January 1st 2018 to December 31th 2018, CAIXA-CA management’s assertion, as referred to above, is fairly stated, in all material respects, in accordance with WebTrust Services Principles and Criteria for Certification Authorities, Version 2.1 This report does not include any representation as to the quality of CAIXA-CA's services beyond those covered by the WebTrust Services Principles and Criteria for Certification Authorities, Version 2.1 criteria nor the suitability of any of CAIXA-CA's services for any customer's intended purpose. Use of the WebTrust seal CAIXA-CA’s use of the WebTrust for Certification Authorities Seal constitutes a symbolic representation of the contents of this report and it is not intended, nor should it be construed, to update this report or provide any additional assurance. Porto Alegre, RS, Brazil, August, 29th 2019 João Ivonir Moreira CRC/RS-025692/O-4 PKI Contabilidade e Auditoria Ltda. CNPJ 18.885.468/0001-76 – CRC/RS-007849/O https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/principles-and-criteria-for-certification-authorities-v2-1.pdf?la=en&hash=7E2A90C62FA0BB6ED1580E8AA08405AF9346E85A https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/principles-and-criteria-for-certification-authorities-v2-1.pdf?la=en&hash=7E2A90C62FA0BB6ED1580E8AA08405AF9346E85A https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/principles-and-criteria-for-certification-authorities-v2-1.pdf?la=en&hash=7E2A90C62FA0BB6ED1580E8AA08405AF9346E85A https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/principles-and-criteria-for-certification-authorities-v2-1.pdf?la=en&hash=7E2A90C62FA0BB6ED1580E8AA08405AF9346E85A CAIXA ECONÕMICA FEDERAL (CAIXA-CA) Management’s Assertion CAIXA ECONÕMICA FEDERAL (CAIXA-CA) operates Certification Authority (CA) services for AC CAIXA and the subordinated CAs presented in the appendix A, and provides the following CA services: • Subscriber registration • Certificate renewal • Certificate issuance • Certificate distribution • Certificate revocation • Certificate status information processing (using CRL repository) The management of CAIXA-CA is responsible for establishing and maintaining effective controls over its CA operations, including its CA business practices disclosure, CA business practices management, CA environmental controls, CA key lifecycle management controls, subscriber key lifecycle management controls, certificate lifecycle management controls, and subordinate CA certificate lifecycle management controls. These controls contain monitoring mechanisms, and actions are taken to correct deficiencies identified. There are inherent limitations in any controls, including the possibility of human error, and the circumvention or overriding of controls. Accordingly, even effective controls can only provide reasonable assurance with respect to CAIXA-CA’s Certification Authority operations. Furthermore, because of changes in conditions, the effectiveness of controls may vary over time. CAIXA-CA management has assessed its disclosures of its certificate practices and controls over its CA services. During our assessment, we noted the following observation that caused the relevant criteria to not be met: Observation Relevant Webtrust Criteria The CA did not perform integrated control of cryptographic media inventory at all distribution points (RAs) 5.3 If the CA (or RA) distributes subscriber key pairs and certificates using Integrated Circuit Cards (ICCs), the CA (or RA) maintains controls to provide reasonable assurance that: • ICC procurement, preparation and personalization are securely controlled by the CA (or RA or card bureau); • ICC Application Data File (ADF) preparation is securely controlled by the CA (or RA); • ICC usage is enabled by the CA (or RA or card bureau) prior to ICC issuance; • ICC deactivation and reactivation are securely controlled by the CA (or RA); • ICCs are securely stored and distributed by the CA (or RA or card bureau); • ICCs are securely replaced by the CA (or RA or card bureau); and • ICCs returned to the CA (or RA or card bureau) are securely terminated. The CA did not consider systems development personnel as having a trusted role. 3.3 The CA maintains controls to provide reasonable assurance that personnel and employment practices enhance and support the trustworthiness of the CA’s operations. Based on the assessment, CAIXA-CA’s management opinion, except for the matters described in the preceding table, in providing its Certification Authority (CA) services in Brazil, through the period January 1st 2018 to December 31th 2018, CAIXA-CA has: • disclosed its Business, Key Life Cycle Management, Certificate Life Cycle Management, and CA Environmental Control practices in its: o Certification Practice Statement o Certificate Policy • maintained effective controls to provide reasonable assurance that: o CAIXA-CA’s Certification Practice Statement is consistent with its Certificate Policy o CAIXA-CA provides its services in accordance with its Certificate Policy and Certification Practice Statement • maintained effective controls to provide reasonable assurance that: o The integrity of keys and certificates it manages is established and protected throughouttheir life cycles; o The integrity of subscriber keys and certificates it manages is established and protected throughout their life cycles; o The Subscriber information is properly authenticated (for the registration activities performed by CAIXA-CA); and o Subordinate CA certificate requests are accurate, authenticated, and approved • maintained effective controls to provide reasonable assurance that: o Logical and physical access to CA systems and data was restricted to authorized individuals; o The continuity of key and certificate management operations was maintained; and o CA systems development, maintenance and operations were properly authorized and performed to maintain CA systems integrity. in accordance with the WebTrust Services Principles and Criteria for Certification Authorities, Version 2.1, including the following: CA Business Practices Disclosure • Certification Practice Statement • Certificate Policy Management CA Business Practices Management • Certificate Policy Management • Certification Practice Statement Management • CP and CPS Consistency CA Environmental Controls • Security Management • Asset Classification and Management • Personnel Security • Physical and Environmental Security • Operations Management • System Access Management • Systems Development and Maintenance • Business Continuity Management • Monitoring and Compliance • Audit Logging CA Key Lifecycle Management Controls • CA Key Generation • CA Key Storage, Backup, and Recovery • CA Public Key Distribution • CA Key Usage • CA Key Life Cycle Management Controls • CA Key Archival and Destruction • CA Key Compromise https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/principles-and-criteria-for-certification-authorities-v2-1.pdf?la=en&hash=7E2A90C62FA0BB6ED1580E8AA08405AF9346E85A https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/principles-and-criteria-for-certification-authorities-v2-1.pdf?la=en&hash=7E2A90C62FA0BB6ED1580E8AA08405AF9346E85A • CA Cryptographic Hardware Life Cycle Management • CA-Key Escrow Certificate Life Cycle Management Controls • Subscriber registration • Certificate renewal • Certificate issuance • Certificate distribution • Certificate revocation • Certificate status information processing (using CRL repository) Porto Alegre, RS, Brazil, August, 29th 2019 ____________________________________________ Renan Correia Martino Legal Representative CAIXA ECONÕMICA FEDERAL – Certificate Autority APPENDIX A CA # Cert # Subject Issuer Serial Key Algorithm Key Size Digest Algorith m Not Before Not After SKI SHA256 Fingerprint AC Caixa 1 CN = AC CAIXA v2 OU = Autoridade Certificadora Raiz Brasileira v2 O = ICP-Brasil C = BR CN = Autoridade Certificadora Raiz Brasileira v2 OU = Instituto Nacional de Tecnologia da Informacao - ITI O = ICP-Brasil C = BR 11 rsaEncrypt ion 4096 sha512Wit hRSAEncr yption December 02, 2011 12:16:53 December 02, 2021 12:16:53 0F 50 24 31 E4 BA BC B1 99 49 26 35 ED 0E D0 75 FE 9C 9F 55 DD DB 68 36 53 A8 1A 56 3E 3F F4 05 EC D2 EE 6F 8E 1D 10 53 E5 B1 E0 7B 89 58 B0 7E 90 9C 71 F9 AC Caixa SPB 1 CN = AC CAIXA SPB OU = Caixa Economica Federal OU = CSPB-5 O = ICP-Brasil C = BR CN = AC CAIXA v2 OU = Autoridade Certificadora Raiz Brasileira v2 O = ICP-Brasil C = BR 313594 386650 957950 rsaEncryptio n 4096 sha512Wit hRSAEncr yption January 19, 2015 19:57:33 December 02, 2021 12:16:53 23 2D E9 F3 9B 6D D7 27 19 78 C1 7C 25 6B 42 52 AD 25 1F D4 CE 59 88 F4 9D 36 7F 85 B2 40 D7 27 37 C3 C8 3A 80 CC 74 76 95 44 5D DB 4F 1E 3B A7 3A C2 7E 71 AC CAIXA PJ 1 CN = AC CAIXA PJ v2 OU = Caixa Economica Federal O = ICP-Brasil C = BR CN = AC CAIXA v2 OU = Autoridade Certificadora Raiz Brasileira v2 O = ICP-Brasil C = BR 329385 515060 728042 1 rsaEncryptio n 4096 sha512Wit hRSAEncr yption December 23, 2011 13:55:36 December 21, 2019 13:55:36 4F 4D 0D 01 9C 6A 69 DB 70 09 A4 DE 33 AE F6 7C 92 9E 35 C2 42 8D B2 B5 BA DD 1F 24 6B B6 58 75 B1 1D C8 E1 FE E7 EB 78 E7 BC FB 47 F1 AA EE C9 3A 68 BB 70 AC CAIXA PJ 2 CN = AC CAIXA PJ 1v2 OU = Caixa Economica Federal O = ICP-Brasil C = BR CN = AC CAIXA v2 OU = Autoridade Certificadora Raiz Brasileira v2 O = ICP-Brasil C = BR 586602 254205 472411 1 rsaEncryptio n 4096 sha512Wit hRSAEncr yption January 25, 2019 12:30:48 December 02, 2021 12:16:53 A5 24 EE B0 16 BF C0 88 8C 22 5A C8 11 A2 A0 B1 3E 0A 29 17 1A 2C F1 8A C0 1D 24 56 80 BF 7E 66 FF 3E C3 E3 B1 FA 72 25 7B A9 E9 D7 CE 1B E1 3B E5 E4 C2 23 AC CAIXA PF 1 CN = AC CAIXA PF v2 OU = Caixa Economica Federal O = ICP-Brasil CN = AC CAIXA v2 OU = Autoridade Certificadora Raiz Brasileira v2 294947 675887 743919 2 rsaEncryptio n 4096 sha512Wit hRSAEncr yption December 23, 2011 13:52:58 December 21, 2019 13:52:58 9E 2A D6 41 57 00 AF 5B ED 07 F8 D0 5C 8E F3 6D E6 E5 0C 1A 36 FB EA 32 05 52 2A EC 99 3F 9F 53 7B 7D 14 26 9B E0 C2 8A CE F5 D2 0B 60 CA # Cert # Subject Issuer Serial Key Algorithm Key Size Digest Algorith m Not Before Not After SKI SHA256 Fingerprint C = BR O = ICP-Brasil C = BR C6 CE 3E C1 C6 79 BF AC CAIXA PF 2 CN = AC CAIXA PF 1v2 OU = Caixa Economica Federal O = ICP-Brasil C = BR CN = AC CAIXA v2 OU = Autoridade Certificadora Raiz Brasileira v2 O = ICP-Brasil C = BR 232564 455653 156020 6 rsaEncryptio n 4096 sha512Wit hRSAEncr yption January 25, 2019 12:28:23 December 02, 2021 12:16:53 51 78 58 D2 1D 70 E4 13 FE 34 8E 60 47 D6 58 7E 92 69 E3 0F 53 D7 BD E7 64 1E B8 D9 AF 09 4E 88 87 16 C3 FF C9 89 C6 89 90 FC C2 26 F2 CC D0 65 BD 33 99 FC AC CAIXA JUS 1 CN = AC CAIXA-JUS v2 OU = Autoridade Certificadora da Justica - AC-JUS O = ICP-Brasil C = BR CN = Autoridade Certificadora da Justica v4 OU = Autoridade Certificadora Raiz Brasileira v2 O = ICP-Brasil C = BR 3 rsaEncryptio n 4096 sha512Wit hRSAEncr yption December 28, 2011 13:03:21 December 28, 2019 13:03:21 D4 B1 C3 29 49 97 AD 4E 66 36 DB E9 4E 00 4A 6A D8 C3 DA C4 65 35 BF 55 C3 F5 E5 34 1A 7E D5 87 4B 40 E5 23 B4 78 56 F5 23 AF 7C 60 A3 87 E4 99 61 5A 40 B4 AC CAIXA PJ SSL 1 CN = AC CAIXA PJ SSL v2 OU = Caixa Economica Federal O = ICP-Brasil C = BR CN = AC CAIXA v2 OU = Autoridade Certificadora Raiz Brasileira v2 O = ICP-Brasil C = BR 276103 480557 687450 9 rsaEncryptio n 4096 sha512Wit hRSAEncr yption March 17, 2017 19:39:15 March 16, 2020 19:39:15 F3 D5 F2 51 C2 EC 69 3D DA 05 EB 56 B1 F3 71 82 AC 2B 82 E4 AF 95 3E 1A CD B9 55 AD AD DC 8E EF BA 68 AC C5 C3 9F 3D 4D 4D 88 36 A4 F4 2A B3 E7 A0 0B AA AD 2019-08-29T10:39:04-0300 JOAO IVONIR MOREIRA:18835759072 2019-09-02T19:18:23-0300 RENAN CORREIA MARTINO:99602741104