[cabfpub] Ballot 171 - Updating ETSI standards in CABF documents

Erwann Abalea Erwann.Abalea at docusign.com
Wed Jun 22 18:09:13 UTC 2016


Bonsoir Arno,

I sent and confirmed my subscription request to ESI_TSP, now waiting for its approval.

We’ll arrange a conf-call with the auditor soon if necessary, if we can’t discuss it by email or on the ESI_TSP mailing list.

In the meantime, I think it’s best to postpone ballot 171.

Cordialement,
Erwann Abalea

> Le 22 juin 2016 à 19:15, Arno Fiedler <arno.fiedler at outlook.com> a écrit :
> 
> Dear Erwann,
> 
> may I suggest two tasks to harmonize the discussion:
> 
> A) lets arrange a TeleCo with with your  "accredited auditor, who confirmed that the validation step requires physical presence of the subscriber" (see your e-Mail dated: 20 de junio de 2016 21:19)
> 
> B) lets discuss details via  ESI_TSP: (ESI Trust Service Providers) <ESI_TSP at LIST.ETSI.ORG>
> maybe not all members of CA/B-Forum Public list are interested in the interpretation of European Norms in parallel to the Official European Standardisation process
> There are Official Bulletins for collecting and handling comments, thats whats Inigo mentioned
> 
> Thanks in advance
> 
> Arno Fiedler
> 
> -----------------------------------------
> 
> Iñigo,
> 
> 
> I’m fine with adding EN 319403 and EN 319411-1 as acceptable normative references.
> 
> What do you mean by « official bulletins »? If you mean receiving an official record of a company registration/incorporation, then I disagree. In many countries (France included), you can register/incorporate a company without any physical verification.
> 319411-1 requires the CA to apply NCP requirements to *all* EVCP certificates. NCP requirements implies physical presence verification (or equivalent: signed documents by an actor trusted to have physically performed the verification). It’s the exact same level of verification performed to deliver a certificate to a natural person.
> EVG requires physical verification for some cases only (depending on matching between Place of Business and content of QGIS/QIIS/QTIS, if the country of Place of Business is different than the country of Incorporation/Registration, etc).
> 
> I want to align the TS 102042 rejection date to its official withdrawal by ETSI.
> 
> 
> Therefore, I’d like the motion to be changed like this:
> 
> -- MOTION BEGINS –
> 
> In the BRs,
> 
> In section 1.6.3 References, change:
> ETSI TS 119 403, Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment ‐ General Requirements and Guidance.
> ETSI TS 102 042, Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates.
> 
> With
> ETSI EN 319 403, Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment - Requirements for conformity assessment bodies assessing Trust Service Providers
> 
> and add:
> 
> ETSI EN 319 411-1, Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates;
> Part 1: General requirements
> 
> 
> In section 8.2 Identity/qualification of assessor, point 4, change:
> 4. (For audits conducted in accordance with any one of the ETSI standards) accredited in accordance with ETSI TS 119 403, or accredited to conduct such audits under an equivalent national scheme, or accredited by a national accreditation body in line with ISO 27006 to carry out ISO 27001 audits;
> 
> With
> 
> 
> 4. (For audits conducted in accordance with any one of the ETSI standards)  accredited in accordance with ISO 17065 applying the requirements specified in ETSI EN 319 403;
> 
> 
> 
> 
> In section 8.4 Topics covered by assessment, point 2, change:
> 
> 2. A national scheme that audits conformance to ETSI TS 102 042;
> 
> With
> 
> 2. A national scheme that audits conformance to ETSI TS 102 042/ ETSI EN 319 411-1; Effective July 1st 2016, only the ETSI EN 319 411-1 criteria shall be accepted. Audit reports following the ETSI TS 102 042 criteria shall be accepted until July 1st 2017;
> In the EV guidelines,
> 
> In section 8.2.1 Implementation, point (B), change:
> 
> (B) Implement the requirements of (i) the then-current WebTrust Program for CAs, and (ii) the then-current WebTrust
> EV Program or ETSI TS 102 042; and
> 
> With
> 
> (B) Implement the requirements of (i) the then-current WebTrust Program for CAs, and (ii) the then-current WebTrust
> EV Program or ETSI TS 102 042 for EVCP or ETSI EN 319 411-1 for EVCP policy; and
> 
> 
> In section 8.2.2 Disclosure, change:
> 
> The CA is also REQUIRED to publicly disclose its CA business practices as required by both WebTrust for CAs and ETSI TS 102 042.
> 
> With
> 
> The CA is also REQUIRED to publicly disclose its CA business practices as required by both WebTrust for CAs and ETSI TS 102 042 and ETSI EN 319 411-1.
> 
> 
> In section 17.1 Eligible audit schemes, point (ii), change:
> 
> (ii) ETSI TS 102 042 audit
> 
> With
> 
> (ii) ETSI TS 102 042 audit for EVCP, or
> (iii) ETSI EN 319 411-1 audit for EVCP policy
> 
> 
> In section 17.4 pre-issuance readiness audit, after point (2), add:
> 
> 
> (2) If the CA has a currently valid ETSI 102 042 audit, then, before issuing EV Certificates, the CA and its Root CA MUST
> 
> successfully complete a point-in-time readiness assessment audit against ETSI TS 102 042.
> 
> 
> With
> 
> (3) If the CA has a currently valid ETSI EN 319 411-1 audit for EVCP policy, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against these ETSI standards.
> 
> and change:
> 
> (3) If the CA does not have a currently valid WebTrust Seal of Assurance for CAs or an ETSI 102 042 audit, then, before
> issuing EV Certificates, the CA and its Root CA MUST successfully complete either: (i) a point-in-time readiness
> assessment audit against the WebTrust for CA Program, or (ii) a point-in-time readiness assessment audit against the
> WebTrust EV Program, or an ETSI TS 102 042 audit.
> 
> With
> 
> (3) If the CA does not have a currently valid WebTrust Seal of Assurance for CAs or or an ETSI TS 102 042 EVCP or an ETSI EN 319 411-1 audit for EVCP policy, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete either: (i) a point-in-time readiness assessment audit against the WebTrust for CA Program, or (ii) a point-in-time readiness assessment audit against the WebTrust EV Program, or an ETSI TS 102 042 EVCP, or an ETSI EN 319 411-1 for EVCP policy.
> 
> -- MOTION ENDS --
> 
> Cordialement,
> Erwann Abalea
> 
> > Le 21 juin 2016 à 12:58, Barreira Iglesias, Iñigo <i-barreira at izenpe.eus> a écrit :
> >
> > Erwann,
> >
> >
> >
> > -          I think I replied to the same question you asked me last week. You can use other appropriate methods, for example, official bulletins, etc.
> >
> > -          This document has been presented many times over the last 2 years, requested for comments (even within the CABF), and finally approved by all EU MS. In any case, you can ask through your official NSO or directly to ETSI and suggest amendments, corrections, etc. There´s an ongoing task within ESI to update the document to keep it aligned with the CABF changes.
> >
> > -          TS 102 042 will be replaced soon, probably before the year ends, so not sure about keeping it.
> >
> >
> >
> > Regards
> >
> >
> >
> > Iñigo Barreira
> > Responsable del Área técnica
> > i-barreira at izenpe.eus
> >
> > 945067705
> >
> >
> >
> > <image001.jpg>
> >
> >
> >
> > ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
> > ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.
> >
> >
> >
> > De: Erwann Abalea [mailto:Erwann.Abalea at docusign.com]
> > Enviado el: lunes, 20 de junio de 2016 21:19
> > Para: Barreira Iglesias, Iñigo
> > CC: public at cabforum.org
> > Asunto: Re: [cabfpub] Ballot 171 - Updating ETSI standards in CABF documents
> >
> >
> >
> > Bonsoir,
> >
> >
> >
> > I think EN 319 411-1 is not ready for EV certificates as some requirements are more stringent than 102 042 EVCP.
> >
> > Reading this document, we found, and it was confirmed by our accredited auditor, that the validation step requires physical presence of the subscriber or means equivalent to physical presence. Find below an excerpt of section 6.2.2 Initial identity validation:
> >
> >
> >
> >     h) [CONDITIONAL] [NCP]: If the subject is a device or system operated by or on behalf of a legal person, or other organizational entity identified in association with a legal person, evidence of the identity, in particular the ones listed in i), shall be checked against a duly mandated subscriber either directly, by physical presence of a person, or have been checked indirectly using means which provides equivalent assurance to physical presence.
> >
> >
> >
> >     i) [CONDITIONAL]: If the subject is a device or system operated by or on behalf of a legal person, or other organizational entity identified in association with a legal person, evidence shall be provided of:
> >
> >         1) identifier of the device by which it can be referenced (e.g. Internet domain name);
> >
> >         2) full name of the organizational entity:
> >
> >             * [PTC]: clause 3.2.2 of BRG [5] shall apply;
> >
> >             * [EVCP]: EVCG [4], clause 11.2.1, shall apply;
> >
> >         3) any relevant existing registration information (e.g. company registration) of the legal person or other organizational entity identified in association with the legal person that would appear in the organization attribute of the certificate, consistent with the national or other applicable identification practices;
> >
> >         4) a nationally recognized identity number, or other attributes which can be used to, as far as possible, distinguish the organizational entity from others with the same name; and
> >
> >         5) [CONDITIONAL]: when applicable, the association between the legal person and the other organizational entity identified in association with this legal person that would appear in the organization attribute of the certificate, consistent with the national or other applicable identification practices.
> >
> >
> >
> > This physical presence (face-to-face) of the subscriber is required by EV Guidelines when the subject is a Business Entity only, to verify the identity of the Principal Individual. This face-to-face validation is not required for Private Organizations, Government Entities, and Non-Commercial Entities.
> >
> >
> >
> > In addition to that, ETSI has not withdrawn the current standard TS 102 042. If we apply too quickly EN 319 411-1 before it’s updated, it will add some constraints on European CAs only and thus create a gap between European and non-European CAs.
> >
> >
> >
> >
> >
> > Cordialement,
> >
> > Erwann Abalea
> >
> >
> >
> >     Le 17 juin 2016 à 11:43, Barreira Iglesias, Iñigo <i-barreira at izenpe.eus> a écrit :
> >
> >
> >
> >     Ballot 171 – Updating the ETSI standards in the CABF documents
> >
> >     The following motion has been proposed by Iñigo Barreira of Izenpe and endorsed by Mads Henriksveen of Buypass, Jochem van den Berge of Logius PKIoverheid and Arno Fiedler of D-trust
> >
> >     -- MOTION BEGINS –
> >
> >     In the BRs,
> >
> >     In section 1.6.3 References, change:
> >
> >     ETSI TS 119 403, Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment ‐ General Requirements and Guidance.
> >
> >     ETSI TS 102 042, Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates.
> >
> >     With
> >
> >     ETSI EN 319 403, Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment - Requirements for conformity assessment bodies assessing Trust Service Providers
> >
> >
> >
> >     ETSI EN 319 411-1, Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates;
> >
> >     Part 1: General requirements
> >
> >
> >
> >     In section 8.2 Identity/qualification of assessor, point 4, change:
> >
> >     4. (For audits conducted in accordance with any one of the ETSI standards) accredited in accordance with ETSI TS 119 403, or accredited to conduct such audits under an equivalent national scheme, or accredited by a national accreditation body in line with ISO 27006 to carry out ISO 27001 audits;
> >
> >
> >
> >     With
> >
> >
> >
> >     4. (For audits conducted in accordance with any one of the ETSI standards)  accredited in accordance with ISO 17065 applying the requirements specified in ETSI EN 319 403;
> >
> >
> >
> >
> >
> >     In section 8.4 Topics covered by assessment, point 2, change:
> >
> >     2. A national scheme that audits conformance to ETSI TS 102 042;
> >
> >     With
> >
> >     2. A national scheme that audits conformance to ETSI TS 102 042/ ETSI EN 319 411-1; Effective July 1st 2016, only the ETSI EN 319 411-1 criteria shall be accepted. Audit reports following the ETSI TS 102 042 criteria shall be accepted until July 1st 2017;
> >
> >     In the EV guidelines,
> >
> >
> >
> >     In section 8.2.1 Implementation, point (B), change:
> >
> >
> >
> >     (B) Implement the requirements of (i) the then-current WebTrust Program for CAs, and (ii) the then-current WebTrust
> >
> >     EV Program or ETSI TS 102 042; and
> >
> >
> >
> >     With
> >
> >
> >
> >     (B) Implement the requirements of (i) the then-current WebTrust Program for CAs, and (ii) the then-current WebTrust
> >
> >     EV Program or ETSI EN 319 411-1 for EVCP policy; and
> >
> >
> >
> >
> >
> >     In section 8.2.2 Disclosure, change:
> >
> >
> >
> >     The CA is also REQUIRED to publicly disclose its CA business practices as required by both WebTrust for CAs and ETSI TS 102 042.
> >
> >
> >
> >     With
> >
> >
> >
> >     The CA is also REQUIRED to publicly disclose its CA business practices as required by both WebTrust for CAs and ETSI EN 319 411-1.
> >
> >
> >
> >
> >
> >     In section 17.1 Eligible audit schemes, point (ii), change:
> >
> >
> >
> >     (ii) ETSI TS 102 042 audit
> >
> >
> >
> >     With
> >
> >
> >
> >     (ii) ETSI EN 319 411-1 audit for EVCP policy
> >
> >
> >
> >
> >
> >     In section 17.4 pre-issuance readiness audit, point (2), change:
> >
> >
> >
> >     (2) If the CA has a currently valid ETSI 102 042 audit, then, before issuing EV Certificates, the CA and its Root CA MUST
> >
> >     successfully complete a point-in-time readiness assessment audit against ETSI TS 102 042.
> >
> >
> >
> >     With
> >
> >
> >
> >     (2) If the CA has a currently valid ETSI EN 319 411-1 audit for EVCP policy, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against these ETSI standards.
> >
> >
> >
> >
> >
> >     In section 17.4 pre-issuance readiness audit, point (3), change:
> >
> >
> >
> >     (3) If the CA does not have a currently valid WebTrust Seal of Assurance for CAs or an ETSI 102 042 audit, then, before
> >
> >     issuing EV Certificates, the CA and its Root CA MUST successfully complete either: (i) a point-in-time readiness
> >
> >     assessment audit against the WebTrust for CA Program, or (ii) a point-in-time readiness assessment audit against the
> >
> >     WebTrust EV Program, or an ETSI TS 102 042 audit.
> >
> >
> >
> >     With
> >
> >
> >
> >     (3) If the CA does not have a currently valid WebTrust Seal of Assurance for CAs or an ETSI EN 319 411-1 audit for EVCP policy, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete either: (i) a point-in-time readiness assessment audit against the WebTrust for CA Program, or (ii) a point-in-time readiness assessment audit against the WebTrust EV Program, or an ETSI EN 319 411-1 for EVCP policy.
> >
> >     -- MOTION ENDS --
> >
> >     The review period for this ballot shall commence at 2200 UTC on 17 June 2016, and will close at 2200 UTC on 24 June 2016. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on 1 July 2016. Votes must be cast by posting an on-list reply to this thread.
> >
> >     A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: https://cabforum.org/members/
> >
> >     In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Quorum is currently ten (10) members– at least ten members must participate in the ballot, either by voting in favor, voting against, or abstaining.
> >
> >
> >
> >
> >
> >
> >
> >     Iñigo Barreira
> >     Responsable del Área técnica
> >     i-barreira at izenpe.eus
> >
> >     945067705
> >
> >
> >
> >     <image001.jpg>
> >
> >
> >
> >     ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
> >     ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.
> >
> >
> >
> >     _______________________________________________
> >     Public mailing list
> >     Public at cabforum.org
> >     https://cabforum.org/mailman/listinfo/public
> 



More information about the Public mailing list