[cabfpub] RV: [cabfman] Ballot 171? for updating the ETSI standards in the CABF documents

Thu Jun 9 16:06:35 UTC 2016

Inigo,

I'm not sure how this is meaningfully different than how we handle EV
audits, which root stores also require the BR audits.

I've reviewed 411-1 and 411-2, and the outstanding question you didn't
answer is what prevents a CA from getting audited under EVCP when getting a
QCP-w audit.

On Thu, Jun 9, 2016 at 3:49 AM, Barreira Iglesias, Iñigo <
i-barreira at izenpe.eus> wrote:

> Now to the public
>
>
>
> Ryan, this is what is stated in EN 319 411-2
>
>
>
> The standard EN 319 411-2, which sets requirements for trust service
> providers issuing EU qualified certificates, states as its objective, in
> what concerns qualified website authentication certificates, to define *“A
> policy for EU qualified web certificate offering the level of quality
> defined in Regulation (EU) N° 910/2014 for EU qualified certificates
> (requiring or not the use of a secure cryptographic device) used in support
> of web authentication. The requirements for this certificate policy include
> all the Extended Validation certificate policy (EVCP) requirements, plus
> additional provisions suited to support EU qualified certificates issuance
> and management as specified in Regulation (EU) N° 910/2014.” *
>
>
>
>
>
>
>
> *Iñigo Barreira*
> Responsable del Área técnica
> i-barreira at izenpe.eus
>
> 945067705
>
>
>
> [image: Descripción: firma_email_Izenpe_eus]
>
>
>
> ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta
> egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea
> gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi
> erantzuna. KONTUZ!
> ATENCION! Este mensaje contiene informacion privilegiada o confidencial a
> la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por
> error le agradeceriamos que no hiciera uso de la informacion y que se
> pusiese en contacto con el remitente.
>
>
>
> *De:* Ryan Sleevi [mailto:sleevi at google.com]
> *Enviado el:* jueves, 09 de junio de 2016 8:47
> *Para:* Barreira Iglesias, Iñigo
> *CC:* management at cabforum.org
> *Asunto:* Re: [cabfman] Ballot 171? for updating the ETSI standards in
> the CABF documents
>
>
>
> No, it doesn't, but I'll refrain from discussing that further until it's
> on the public list.
>
>
>
> On Wed, Jun 8, 2016 at 11:38 PM, Barreira Iglesias, Iñigo <
> i-barreira at izenpe.eus> wrote:
>
> Yes, in order to get a QWAC you have to follow the EVCP but not the other
> way round. So an EVCP can´t be a QWAC but a QWAC has to be an EVCP. Does
> this help?
>
>
>
>
>
> *Iñigo Barreira*
> Responsable del Área técnica
> i-barreira at izenpe.eus
>
> 945067705
>
>
>
> [image: Descripción: firma_email_Izenpe_eus]
>
>
>
> ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta
> egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea
> gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi
> erantzuna. KONTUZ!
> ATENCION! Este mensaje contiene informacion privilegiada o confidencial a
> la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por
> error le agradeceriamos que no hiciera uso de la informacion y que se
> pusiese en contacto con el remitente.
>
>
>
> *De:* Ryan Sleevi [mailto:sleevi at google.com]
> *Enviado el:* miércoles, 08 de junio de 2016 20:15
> *Para:* Barreira Iglesias, Iñigo
> *CC:* management at cabforum.org
> *Asunto:* Re: [cabfman] Ballot 171? for updating the ETSI standards in
> the CABF documents
>
>
>
> Inigo,
>
>
>
> Is there anything that prevents a CA from getting a 411-2 audit from
> getting a 411-1 audit to EVCP?
>
>
>
> I've said it before, but I'm extremely uncomfortable recognize QWACs as
> equivalent to EV. If QWACs want recognition, having them issued compliant
> with the EVCP policy and the QCP-w policy seems entirely reasonable.
>
>
>
> This is no different than if WebTrust were to create a new profile of
> "WebTrust for CAs - WebTrust's Really Awesome Standards" that made
> assurances that they "captured the spirit" of EV (which is effectively what
> QCP-w is stating)
>
>
>
> On Wed, Jun 8, 2016 at 5:37 AM, Barreira Iglesias, Iñigo <
> i-barreira at izenpe.eus> wrote:
>
> *Ballot 171 – Updating the ETSI standards in the CABF documents*
>
> The following motion has been proposed by Iñigo Barreira of Izenpe and
> endorsed by XXX and XXX:
>
> -- MOTION BEGINS –
>
> *In the BRs,*
>
> In section 1.6.3 References, change:
>
> ETSI TS 119 403, Electronic Signatures and Infrastructures (ESI); Trust
> Service Provider Conformity Assessment ‐ General Requirements and Guidance.
>
> ETSI TS 102 042, Electronic Signatures and Infrastructures (ESI); Policy
> requirements for certification authorities issuing public key certificates.
>
> With
>
> ETSI EN 319 403, Electronic Signatures and Infrastructures (ESI); Trust
> Service Provider Conformity Assessment - Requirements for conformity
> assessment bodies assessing Trust Service Providers
>
>
>
> ETSI EN 319 411-1, Electronic Signatures and Infrastructures (ESI); Policy
> and security requirements for Trust Service Providers issuing certificates;
>
> Part 1: General requirements
>
>
>
> ETSI EN 319 411-2, Electronic Signatures and Infrastructures (ESI); Policy
> and security requirements for Trust Service Providers issuing certificates;
>
> Part 2: Requirements for trust service providers issuing EU qualified
> certificates
>
> In section 8.2 Identity/qualification of assessor, point 4, change:
>
> 4. (For audits conducted in accordance with any one of the ETSI standards)
> accredited in accordance with ETSI TS 119 403, or accredited to conduct
> such audits under an equivalent national scheme, or accredited by a
> national accreditation body in line with ISO 27006 to carry out ISO 27001
> audits;
>
>
>
> With
>
>
>
> 4. (For audits conducted in accordance with any one of the ETSI standards)
> accredited in accordance with ETSI EN 319 403;
>
>
>
> In section 8.4 Topics covered by assessment, point 2, change:
>
> 2. A national scheme that audits conformance to ETSI TS 102 042;
>
> With
>
> 2. A national scheme that audits conformance to ETSI EN 319 411-1;
>
> *In the EV guidelines,*
>
>
>
> In section 8.2.1 Implementation, point (B), change:
>
>
>
> (B)  Implement the requirements of (i) the then-current WebTrust Program
> for CAs, and (ii) the then-current WebTrust
>
> EV Program or ETSI TS 102 042; and
>
>
>
> With
>
>
>
> (B)  Implement the requirements of (i) the then-current WebTrust Program
> for CAs, and (ii) the then-current WebTrust
>
> EV Program or ETSI EN 319 411-1 for EVCP policy or ETSI EN 319 411-2 for
> QCP-w policy; and
>
>
>
>
>
> In section 8.2.2 Disclosure, change:
>
>
>
> The CA is also REQUIRED to publicly disclose its CA business practices as
> required by both WebTrust for CAs and ETSI TS 102 042.
>
>
>
> With
>
>
>
> The CA is also REQUIRED to publicly disclose its CA business practices as
> required by both WebTrust for CAs and ETSI EN 319 411-1 or ETSI EN 319
> 411-2.
>
>
>
>
>
> In section 17.1 Eligible audit schemes, point (ii), change:
>
>
>
> (ii) ETSI TS 102 042 audit
>
>
>
> With
>
>
>
> (ii) ETSI EN 319 411-1 audit for EVCP policy or ETSI EN 319 411-2 audit
> for QCP-w policy
>
>
>
>
>
> In section 17.4 pre-issuance readiness audit, point (2), change:
>
>
>
> (2) If the CA has a currently valid ETSI 102 042 audit, then, before
> issuing EV Certificates, the CA and its Root CA MUST
>
> successfully complete a point-in-time readiness assessment audit against
> ETSI TS 102 042.
>
>
>
> With
>
>
>
> (2) If the CA has a currently valid ETSI EN 319 411-1 audit for EVCP
> policy or ETSI EN 319 411-2 for QCP-w policy, then, before issuing EV
> Certificates, the CA and its Root CA MUST successfully complete a
> point-in-time readiness assessment audit against these ETSI standards.
>
>
>
>
>
> In section 17.4 pre-issuance readiness audit, point (3), change:
>
>
>
> (3) If the CA does not have a currently valid WebTrust Seal of Assurance
> for CAs or an ETSI 102 042 audit, then, before
>
> issuing EV Certificates, the CA and its Root CA MUST successfully complete
> either: (i) a point-in-time readiness
>
> assessment audit against the WebTrust for CA Program, or (ii) a
> point-in-time readiness assessment audit against the
>
> WebTrust EV Program, or an ETSI TS 102 042 audit.
>
>
>
> With
>
>
>
> (3) If the CA does not have a currently valid WebTrust Seal of Assurance
> for CAs or an ETSI EN 319 411-1 audit for EVCP policy or ETSI EN 319 411-2
> for QCP-w policy, then, before issuing EV Certificates, the CA and its Root
> CA MUST successfully complete either: (i) a point-in-time readiness
> assessment audit against the WebTrust for CA Program, or (ii) a
> point-in-time readiness assessment audit against the WebTrust EV Program,
> or an ETSI EN 319 411-1 for EVCP or ETSI EN 319 411-2 for QCP-w audit.
>
> -- MOTION ENDS --
>
> The review period for this ballot shall commence at 2200 UTC on 13 June
> 2016, and will close at 2200 UTC on 20 June 2016. Unless the motion is
> withdrawn during the review period, the voting period will start
> immediately thereafter and will close at 2200 UTC on 26 June 2016. Votes
> must be cast by posting an on-list reply to this thread.
>
> A vote in favor of the motion must indicate a clear 'yes' in the response.
> A vote against must indicate a clear 'no' in the response. A vote to
> abstain must indicate a clear 'abstain' in the response. Unclear responses
> will not be counted. The latest vote received from any representative of a
> voting member before the close of the voting period will be counted. Voting
> members are listed here: https://cabforum.org/members/
>
> In order for the motion to be adopted, two thirds or more of the votes
> cast by members in the CA category and greater than 50% of the votes cast
> by members in the browser category must be in favor. Quorum is currently
> ten (10) members– at least ten members must participate in the ballot,
> either by voting in favor, voting against, or abstaining.
>
>
>
>
>
>
>
> *Iñigo Barreira*
> Responsable del Área técnica
> i-barreira at izenpe.eus
>
> 945067705
>
>
>
> [image: Descripción: firma_email_Izenpe_eus]
>
>
>
> ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta
> egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea
> gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi
> erantzuna. KONTUZ!
> ATENCION! Este mensaje contiene informacion privilegiada o confidencial a
> la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por
> error le agradeceriamos que no hiciera uso de la informacion y que se
> pusiese en contacto con el remitente.
>
>
>
>
> _______________________________________________
> Management mailing list
> Management at cabforum.org
> https://cabforum.org/mailman/listinfo/management
>
>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160609/5ccc90ad/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 9540 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160609/5ccc90ad/attachment-0003.jpg>