Globalsign Proposes Modifying the Below Proposal

Proposed updates to WEQ Cybersecurity Subcommittee Proposal for Modification to the ACA Process Document - GlobalSign

GlobalSign proposes modifying the below proposal:

ACA’s may issue NAESB compliant certificates for use outside of NAESB WEQ-012 applications (two examples of NAESB WEQ-012 applications are OASIS and the NAESB EIR) which exempts the ACA from meeting requirements within WEQ-012-1.3.3 and WEQ-012.1.4.3 that require End Entity registration within the NAESB EIR. However such use does not exempt the ACA from complying with all other NAESB WEQ-012 Public Key Infrastructure Business Practice Standards.

With the following:

As stated in the INTRODUCTION paragraph of WEQ-012:

The NAESB WEQ has developed these Business Practice Standards WEQ-012 to establish a secure PKI. Nothing in these Business Practice Standards WEQ-012 would preclude it from being adopted by other energy industry quadrants as appropriate.

Furthermore, as stated in theSCOPE section of WEQ-012:

Scope These Business Practice Standards WEQ-012 provide for an infrastructure to secure electronic communications. These Business Practice Standards WEQ-012 dictate the obligations of both Authorized Certification Authorities and End Entities that will rely on this infrastructure. These Business Practice Standards WEQ-012 do not specify how Certificates issued by Authorized Certification Authorities are to be used to secure specific software applications or electronic transactions. Those standards will be developed under separate NAESB Business Practice Standards

Given the original intent that an ACA could issue WEQ-012 compliant certificates to energy participants outside of WEQ and the requirement that the “use” of WEQ-012 certificates should be addressed outside of WEQ-012 and developed in other NAESB Business Practice Standards, non-WEQ energy entities wishing to utilize WEQ-012 as a best practice around PKI should be exempt from registering in the EIR and ACAs exempt from verifying and including EIR entity codes in non WEQ applicant’s certificates. In fact, any requirement around verifying EIR status and capturing EIR entity codes into a certificate’s OU field should remain outside the WEQ-012 standard, and instead within the WEQ Business Practice Standard where the use of the certificate is specified e.g. OASIS.

Further expanding on the area of “use”, WEQ-012 clearly does not address access and authorization requirements unique to applications that utilize WEQ-012 compliant digital certificates. Any WEQ applications that requires digital certificates issued from an approved ACA,are required tospecify how their application will interrogate the certificate for information necessary to make appropriate access and authorization decisionsas described in the business practice standard governing the application.

Per WEBREGISTRY USER GUIDE v1.1, March 2012

The Electric Industry Registry (EIR) will serve as the central repository for information required to support commercial, scheduling, and transmission management operations in North America. The North American Energy Standards Board (NAESB) has provided the requirements for the EIR. Open Access Technology International, Inc. (OATI) has developed the webRegistry system to perform NAESB EIR functions. webRegistry is a web-based system that allows industry participants to register and maintain their company information used by industry participants in business operations. In addition, companies can register new data and modify existing data that are used in transmission and scheduling procedures.

Given the above description of EIR, energy participants that do not engage in the Electric commercial, scheduling, and transmission management operations in North American, it is GlobalSign’s opinion that requiring non WEQ energy participants to registry in EIR is an inappropriate recommendation and frankly would impose undue burden and costto impose on non WEQ participants.

In summary, we set forward revised language to address clarification around “use” as follows: