<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
p.Default, li.Default, div.Default
{mso-style-name:Default;
margin:0cm;
margin-bottom:.0001pt;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.line862, li.line862, div.line862
{mso-style-name:line862;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=NO-BOK link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US>Hi<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>During our discussion on coordinating audit and standards cycle in Munich, I suggested to remove the version numbers in CABF Guidelines to specific WebTrust and ETSI version numbers as this creates a circular<span style='color:#1F497D'> </span>and inconsistent result. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>This ballot removes the version numbers from EV Guidelines and the Baseline Requirements (BR).<span style='color:#1F497D'> <o:p></o:p></span></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>I have included some additional changes which I consider reasonable; The ETSI TS 102 042 comprises seven different set of policy requirements for different types of certificates, both SSL and non-SSL certificates. I have included the specific CPs for SSL certificates explicitly in the references to TS 102 042 where this is relevant. The following CPs are referenced; Domain Validation (DVCP), Organizational Validation (OVCP), Extended Validation (EVCP) and enhanced Extended Validation (EVCP+). <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>I have also deleted some links to explicit documents on the web. Such document links might change, and the interested reader will find the document anyway.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>I am also looking for a second endorser for this motion. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Find redlined versions of relevant sections from EV Guidelines and Baseline Requirements attached. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Regards<br>Mads<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span lang=EN-US>Ballot 107 – Removing version numbers to WebTrust and ETSI standards from CABF Guidelines (EVG and BR)<o:p></o:p></span></b></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Mads Henriksveen made the following motion, and Ben Wilson from DigiCert and _______ from _______ endorsed it: <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><b><span lang=EN-US>Motion Begins <o:p></o:p></span></b></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><i><span lang=EN-US>Baseline Requirements (BR)<o:p></o:p></span></i></p><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt'><o:p> </o:p></span></b></p><p class=MsoNormal><u><span lang=EN-US>Document History<o:p></o:p></span></u></p><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt'><o:p> </o:p></span></b></p><p class=MsoNormal><b><span lang=EN-US>Implementers’ Note: </span></b><span lang=EN-US>Version 1.1 of these SSL Baseline Requirements was published on September 14, 2012. Version 1.1 of WebTrust’s SSL Baseline Audit Criteria and ETSI Technical Standard Electronic Signatures and Infrastructures (ESI) 102 042 version 2.3.1 incorporate version 1.1 of these Baseline Requirements <s><span style='color:blue'>and are currently in effect. <i>See </i><a href="http://www.webtrust.org/homepage-documents/item27839.aspx">http://www.webtrust.org/homepage-documents/item27839.aspx</a> <i>and also </i><a href="http://www.etsi.org/deliver/etsi_ts/102000_102099/102042/02.03.01_60/ts_102042v020301p.pdf">http://www.etsi.org/deliver/etsi_ts/102000_102099/102042/02.03.01_60/ts_102042v020301p.pdf</a></span></s><span style='color:blue'>.</span><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><u><span lang=EN-US>Section 3. References<o:p></o:p></span></u></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>ETSI Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment - General Requirements and Guidance<s><span style='color:blue'>, available at: <a href="http://www.etsi.org/deliver/etsi_ts/119400_119499/119403/01.01.01_60/ts_119403v010101p.pdf">http://www.etsi.org/deliver/etsi_ts/119400_119499/119403/01.01.01_60/ts_119403v010101p.pdf</a></span></s><span style='color:blue'>.<o:p></o:p></span></span></p><p class=MsoNormal><span lang=EN-US style='color:blue'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>ETSI TS 102 042 <s><span style='color:blue'>V2.1.1,</span></s><span style='color:blue'> </span>Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>WebTrust <span style='color:blue'>Program </span>for Certification Authorities <s><span style='color:blue'>Version 2.0, available at <a href="http://www.webtrust.org/homepage-documents/item27839.aspx">http://www.webtrust.org/homepage-documents/item27839.aspx</a>.<o:p></o:p></span></s></span></p><p class=MsoNormal><s><span lang=EN-US style='color:blue'><o:p><span style='text-decoration:none'> </span></o:p></span></s></p><p class=MsoNormal><u><span lang=EN-US>Section 17.1 Eligible Audit Schemes<o:p></o:p></span></u></p><p class=Default><span lang=EN-US style='font-size:10.0pt'><o:p> </o:p></span></p><p class=Default><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>The CA SHALL undergo an audit in accordance with one of the following schemes: <o:p></o:p></span></p><p class=Default><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>1. WebTrust </span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:blue'>Program </span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>for Certification Authorities </span><s><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:blue'>v2.0</span></s><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:blue'> audit</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>; <o:p></o:p></span></p><p class=Default><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>2. </span><s><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:blue'>A national scheme that audits conformance to</span></s><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:blue'> </span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>ETSI TS 102 042 </span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:blue'>audit including DVCP, OVCP, EVCP or EVCP+</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>; <o:p></o:p></span></p><p class=Default><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>3. A scheme that audits conformance to ISO 21188:2006; or <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>4. If a Government CA is required by its Certificate Policy to use a different internal audit scheme, it MAY use such scheme provided that the audit either (a) encompasses all requirements<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><i><span lang=EN-US>EV Guidelines(EVG)<o:p></o:p></span></i></p><p class=MsoNormal><i><span lang=EN-US><o:p> </o:p></span></i></p><p class=MsoNormal><u><span lang=EN-US>Section 8.2.1 Implementation<o:p></o:p></span></u></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>(B) Implement the requirements of (i) the then-current WebTrust Program for CAs, and <s><span style='color:red'>(ii) </span></s>the then-current WebTrust EV Program or <span style='color:red'>(ii) the then-current </span>ETSI TS 102 042 <span style='color:red'>EV Certificate Policies (EVCP or EVCP+) <s>V2.1.1</s></span>; and<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><u><span lang=EN-US>Section 8.2.2 Disclosure<o:p></o:p></span></u></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Each CA MUST publicly disclose their EV Policies through an appropriate and readily accessible online means that is available on a 24x7 basis. The CA is also REQUIRED to publicly disclose its CA business practices as required by both WebTrust for CAs and ETSI TS 102 042 <s><span style='color:red'>V2.1.1</span></s>. The disclosures MUST be structured in accordance with either RFC 2527 or RFC 3647.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><u><span lang=EN-US>Section 17.1 Eligible Audit Schemes<o:p></o:p></span></u></p><p class=Default><span lang=EN-US style='font-size:10.0pt'><o:p> </o:p></span></p><p class=Default><span lang=EN-US style='font-size:11.0pt'>A CA issuing EV Certificates SHALL undergo an audit in accordance with one of the following schemes: <o:p></o:p></span></p><p class=Default><span lang=EN-US style='font-size:11.0pt'>(i) WebTrust Program for C</span><span lang=EN-US style='font-size:11.0pt;color:red'>ertification </span><span lang=EN-US style='font-size:11.0pt'>A</span><span lang=EN-US style='font-size:11.0pt;color:red'>uthorite</span><span lang=EN-US style='font-size:11.0pt'>s audit and WebTrust EV Program audit, or <o:p></o:p></span></p><p class=Default><span lang=EN-US style='font-size:11.0pt'>(ii) ETSI TS 102 042 </span><s><span lang=EN-US style='font-size:11.0pt;color:red'>v2.1.1 </span></s><span lang=EN-US style='font-size:11.0pt'>audit </span><span lang=EN-US style='font-size:11.0pt;color:red'>including EVCP or EVCP+</span><span lang=EN-US style='font-size:11.0pt'>. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><u><span lang=EN-US>Section 17.4 Pre-Issuance Readiness Audit<o:p></o:p></span></u></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=Default><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>(2) If the CA has a currently valid ETSI 102 042 audit, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against ETSI TS 102 042 </span><s><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:red'>V2.1.1</span></s><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:red'> EVCP or EVCP+</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>(3) If the CA does not have a currently valid WebTrust Seal of Assurance for CAs or an ETSI 102 042 audit, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete either: (i) a point-in-time readiness assessment audit against the WebTrust for CA Program, or (ii) a point-in-time readiness assessment audit against the WebTrust EV Program, or an ETSI TS 102 042 <s><span style='color:red'>V2.1.1.</span></s><span style='color:red'> </span>audit <span style='color:red'>including EVCP or EVCP+</span>.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=line874 style='background:white'><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>The review period for this ballot shall commence on July 24th, 2013 and will close on July 31, 2013. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at August 7th, 2013. Votes must be cast by posting an on-list reply to this thread</span><span lang=EN-US style='font-size:9.0pt;font-family:"Arial","sans-serif";color:black'>.<o:p></o:p></span></p><p class=MsoNormal><b><span lang=EN-US>Motion Ends<o:p></o:p></span></b></p><p class=line862 style='background:white'><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'><a href="http://www.cabforum.org/forum.html"><span lang=EN-US style='border:none windowtext 1.0pt;padding:0cm'>http://www.cabforum.org/forum.html</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'> In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and one half or more of the votes cast by members in the browser category must be in favor. Also, at least seven members must participate in the ballot, either by voting in favor, voting against, or abstaining.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div></body></html>