<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:"Segoe Pro";}
@font-face
{font-family:"Segoe Pro Display";}
@font-face
{font-family:"Segoe Pro Light";}
@font-face
{font-family:wf_segoe-ui_normal;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Texto de globo Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.TextodegloboCar
{mso-style-name:"Texto de globo Car";
mso-style-priority:99;
mso-style-link:"Texto de globo";
font-family:"Tahoma","sans-serif";}
p.BalloonText, li.BalloonText, div.BalloonText
{mso-style-name:"Balloon Text";
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Segoe UI","sans-serif";}
span.EstiloCorreo22
{mso-style-type:personal;
font-family:"Segoe Pro";
color:windowtext;}
span.EstiloCorreo23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EstiloCorreo24
{mso-style-type:personal;
font-family:"Segoe Pro";
color:#1F497D;}
span.EstiloCorreo25
{mso-style-type:personal;
font-family:"Segoe Pro";
color:windowtext;}
span.EstiloCorreo26
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EstiloCorreo27
{mso-style-type:personal;
font-family:"Segoe Pro";
color:#1F497D;}
span.EstiloCorreo28
{mso-style-type:personal;
font-family:"Segoe Pro";
color:windowtext;}
span.EstiloCorreo29
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EstiloCorreo30
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=ES link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>I think the auditors qualification should be added to the BRs as a general matter valid for all documents produced by the CABF for all type of audits. So, all audits should be conducted in the same way.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='line-height:9.75pt'><b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif";color:black'>Iñigo Barreira</span></b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif";color:black'><br>Responsable del Área técnica<br><a href="mailto:i-barreira@izenpe.net"><span style='color:blue'>i-barreira@izenpe.net</span></a><o:p></o:p></span></p><p class=MsoNormal><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif";color:black'>945067705</span><span lang=ES-TRAD style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span lang=ES-TRAD style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><img border=0 width=585 height=111 id="_x0000_i1028" src="cid:image001.png@01D051A1.C24A2D10" alt="Descripción: cid:image001.png@01CE3152.B4804EB0"></span><span lang=ES-TRAD style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal style='line-height:9.75pt'><span style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'>ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!</span><span style='color:#888888;mso-fareast-language:ES-TRAD'><br></span><span style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'>ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.</span><span style='font-size:12.0pt;color:navy;mso-fareast-language:ES-TRAD'><o:p></o:p></span></p></div><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>De:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Jeremy Rowley [mailto:jeremy.rowley@digicert.com] <br><b>Enviado el:</b> jueves, 26 de febrero de 2015 1:29<br><b>Para:</b> Jody Cloutier; Barreira Iglesias, Iñigo; public@cabforum.org<br><b>Asunto:</b> RE: [cabfpub] Baseline requirements for codesigning - Feb 4 2015.doc<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Should this be added to the BRs instead of code signing? For auditor qualifications, we just incorporate the auditor qualifications by reference.<o:p></o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"></a><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> <a href="mailto:[mailto:public-bounces@cabforum.org]">[mailto:public-bounces@cabforum.org]</a> <b>On Behalf Of </b>Jody Cloutier<br><b>Sent:</b> Friday, February 13, 2015 1:28 PM<br><b>To:</b> <a href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a>; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> Re: [cabfpub] Baseline requirements for codesigning - Feb 4 2015.doc<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>Thank you, Inigo, </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>What seems to be happening is that organizations are applying the ETSI standard in cases in which either there is no National Standards Body, or where the national standards body does not certify the company. Building on the scenario below, Audit Co is not recognized by ISRAC, but Auditor Jones has a CISP certification, which I’ve already confirmed with ETSI is not sufficient. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>I think what would help here is to make the requirement much more specific:</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>A Qualified Auditor is limited to an auditor that is employed by a company that is certified by a National Authority listed in either the Members or Associate Members link. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>This, much simplified language, seems to be what you are saying below, but the current language is such that Audit Co can argue that it can issue an ETSI audit because it’s company is certified by another national authority that’s not listed on the ETSI webpages anywhere. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>Jody</span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> <a href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a> [<a href="mailto:i-barreira@izenpe.net">mailto:i-barreira@izenpe.net</a>] <br><b>Sent:</b> Friday, February 13, 2015 12:16 AM<br><b>To:</b> Jody Cloutier; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> RE: [cabfpub] Baseline requirements for codesigning - Feb 4 2015.doc<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Dear Jody,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>I understand your concern because it´s not easy for you to manage all possible combinations regarding ETSI audits in different countries so will try to clarify your example.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>First of all, no AuditCo has to be member of ETSI, AuditCo can perform ETSI accredited audits without being member of ETSI, they only need to be accredited in their country as stated in Annex E requirements.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>So,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>For example, </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span lang=EN-US style='font-family:Symbol;color:#1F497D'>·</span><span lang=EN-US style='font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D'> </span><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>Company A is a commercial CA that operates in Israel</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span lang=EN-US style='font-family:Symbol;color:#1F497D'>·</span><span lang=EN-US style='font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D'> </span><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>Auditor Jones works for AuditCo, which is based in Israel</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span lang=EN-US style='font-family:Symbol;color:#1F497D'>·</span><span lang=EN-US style='font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D'> </span><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>AuditCo is certified by some governmental agency as a qualified auditor</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>IB</span><span lang=EN-US style='font-family:Wingdings;color:#1F497D'>à</span><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> AuditCo has to be accredited under its National Accreditation Body according to ISO 17021. In the case of Israel, to follow the example, in the associated members tab of the EA, you can find the Israeli accreditation body, called ISRAC. Then AuditCo should be listed there and meeting the requirements to perform ETSI audits according to the national scheme indicated by ISRAC</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span lang=EN-US style='font-family:Symbol;color:#1F497D'>·</span><span lang=EN-US style='font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D'> </span><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>AuditCo is not an ETSI Member or Associate Member</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>IB </span><span lang=EN-US style='font-family:Wingdings;color:#1F497D'>à</span><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> this is not necessary. No need to be an ETSI member to perform ETSI audits</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span lang=EN-US style='font-family:Symbol;color:#1F497D'>·</span><span lang=EN-US style='font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D'> </span><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>Auditor Jones audits Company A using the ETSI 102042 standard, and Company A sends the auditor’s attestation letter to Microsoft as evidence that Company A complied with the Program’s requirements. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>IB</span><span lang=EN-US style='font-family:Wingdings;color:#1F497D'>à</span><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> this is perfectly valid if AuditCo is listed in ISRAC and is allowed to perform ETSI audits. Of course Auditor Jones has to be also accredited to perform these kind of audits, has to be “qualified”, so it´s not only the company but also the auditor, but that´s an internal task of the AuditCo.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>Regarding of being member of not, this is voluntary, they can join ETSI or not and don´t think that solve the problem because joining ETSI does not mean that you´re “qualified” or “accredited” to perform an ETSI audit, it´s just indicate that you belong to a club for example.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>And of course, if company A needs an auditing company accredited in Israel and there´s none, they can look for in other countries. For example, in Spain there´s no accredited auditing bodies to perform ETSI audits listed in our NAB, called ENAC, so, we, Izenpe, had to look for another option. So, we contacted for the first 6 years with KPMG in the Netherlands, and the last 3, with TUV IT in Germany. And Izenpe has an accredited ETSI audits according to the, right now, German national scheme and we´re listed in Germany.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>We´ll debate this within ETSI ESI trying to find an easier solution.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>Regards</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div><p class=MsoNormal><span style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='line-height:9.75pt'><b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif";color:black'>Iñigo Barreira</span></b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif";color:black'><br>Responsable del Área técnica<br><a href="mailto:i-barreira@izenpe.net"><span style='color:blue'>i-barreira@izenpe.net</span></a></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif";color:black'>945067705</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=ES-TRAD style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><img border=0 width=585 height=111 id="Imagen_x0020_1" src="cid:image001.png@01D051A1.C24A2D10" alt="Descripción: cid:image001.png@01CE3152.B4804EB0"></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='line-height:9.75pt'><span style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'>ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!</span><span style='color:#888888;mso-fareast-language:ES-TRAD'><br></span><span style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'>ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.</span><span lang=EN-US><o:p></o:p></span></p></div><p class=MsoNormal><span style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>De:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Jody Cloutier [<a href="mailto:jodycl@microsoft.com">mailto:jodycl@microsoft.com</a>] <br><b>Enviado el:</b> miércoles, 11 de febrero de 2015 0:32<br><b>Para:</b> Barreira Iglesias, Iñigo; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Asunto:</b> RE: [cabfpub] Baseline requirements for codesigning - Feb 4 2015.doc</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal> <span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>Thank you, Inigo. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>I think the problem is that, under ETSI, it’s difficult to discern what an “equivalent national scheme” is. This sets up the scenario in which an auditor is employed by an organization that is recognized somehow by the government, but is not affiliated with an ETSI member organization (<a href="http://www.european-accreditation.org/home">http://www.european-accreditation.org/home</a> ). Microsoft does not know whether or not this auditor is qualified or not. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>For example, </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span lang=EN-US style='font-family:Symbol;color:#1F497D'>·</span><span lang=EN-US style='font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D'> </span><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>Company A is a commercial CA that operates in Israel</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span lang=EN-US style='font-family:Symbol;color:#1F497D'>·</span><span lang=EN-US style='font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D'> </span><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>Auditor Jones works for AuditCo, which is based in Israel</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span lang=EN-US style='font-family:Symbol;color:#1F497D'>·</span><span lang=EN-US style='font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D'> </span><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>AuditCo is certified by some governmental agency as a qualified auditor</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span lang=EN-US style='font-family:Symbol;color:#1F497D'>·</span><span lang=EN-US style='font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D'> </span><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>AuditCo is not an ETSI Member or Associate Member</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span lang=EN-US style='font-family:Symbol;color:#1F497D'>·</span><span lang=EN-US style='font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D'> </span><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>Auditor Jones audits Company A using the ETSI 102042 standard, and Company A sends the auditor’s attestation letter to Microsoft as evidence that Company A complied with the Program’s requirements. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>In this scenario, how does Microsoft know that Auditor Jones conducted a proper audit without expending significant resources to determine whether and according to what standard AuditCo and Auditor Jones was certified? </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>Microsoft believes that it would be simpler if the requirements were that the Auditor must work for a company that is affiliated with an ETSI-approved member organization. If Company A needs an auditor and there is no qualified auditor in Israel, the company can use an auditor from a member organization via the cross-border conformity rules. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'>Unless I am fundamentally misunderstanding the rules, the above is something that Microsoft is presently struggling with, and we’d like to try to make the rules easier to understand for potential partners and ourselves. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro"'> </span><span lang=EN-US><o:p></o:p></span></p><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 style='border-collapse:collapse'><tr><td width=623 colspan=4 valign=top style='width:467.5pt;padding:0cm 5.4pt 0cm 5.4pt'><p class=MsoNormal><b><span style='font-family:"Segoe Pro Display"'>Jody Cloutier</span></b><o:p></o:p></p><p class=MsoNormal><i><span style='font-size:9.0pt;font-family:"Segoe Pro Light"'>Senior Security Program Manager</span></i><o:p></o:p></p><p class=MsoNormal><a href="http://aka.ms/rootcert"><b><span style='font-size:9.0pt;font-family:"Segoe Pro Light"'>Microsoft Trusted Root Certificate Program</span></b></a><o:p></o:p></p></td></tr><tr><td width=156 valign=top style='width:116.85pt;padding:0cm 5.4pt 0cm 5.4pt'><p class=MsoNormal><a href="mailto:jody.cloutier@microsoft.com"><span style='font-size:8.0pt;font-family:"Segoe Pro"'>jody.cloutier@microsoft.com</span></a><o:p></o:p></p></td><td width=156 valign=top style='width:116.9pt;padding:0cm 5.4pt 0cm 5.4pt'><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Segoe Pro";color:#0072BC;border:none windowtext 1.0pt;padding:0cm'>425.443.8922</span><o:p></o:p></p></td><td width=156 valign=top style='width:116.85pt;padding:0cm 5.4pt 0cm 5.4pt'><p class=MsoNormal><span style='font-size:8.0pt;font-family:wf_segoe-ui_normal;color:#0072BC;border:none windowtext 1.0pt;padding:0cm'> </span><o:p></o:p></p></td><td width=156 valign=top style='width:116.9pt;padding:0cm 5.4pt 0cm 5.4pt'><p class=MsoNormal><span style='font-size:8.0pt;font-family:wf_segoe-ui_normal;color:#0072BC;border:none windowtext 1.0pt;padding:0cm'> </span><o:p></o:p></p></td></tr><tr><td width=623 colspan=4 valign=top style='width:467.5pt;padding:0cm 5.4pt 0cm 5.4pt'><p class=MsoNormal><b><u><span style='font-size:10.0pt;font-family:"Segoe Pro Light";color:#5B9BD5'>O</span></u></b><span style='font-size:10.0pt;font-family:"Segoe Pro Light"'>perating <b><u><span style='color:#ED7D31'>S</span></u></b>ystems <b><u><span style='color:red'>G</span></u></b>roup</span><i><span style='font-size:9.0pt;font-family:"Segoe Pro Light"'> </span></i><b><u><span style='font-size:9.0pt;font-family:"Segoe Pro Light"'>G</span></u></b><span style='font-size:9.0pt;font-family:"Segoe Pro Light"'>lobal <b><u>R</u></b>isk and <b><u>C</u></b>ompliance</span><o:p></o:p></p></td></tr><tr><td width=623 colspan=4 valign=top style='width:467.5pt;padding:0cm 5.4pt 0cm 5.4pt'><p class=MsoNormal><a href="http://microsoft.com/"><span style='font-size:8.0pt;font-family:wf_segoe-ui_normal;color:#0072BC;border:none windowtext 1.0pt;padding:0cm;text-decoration:none'><img border=0 width=122 height=26 id="Picture_x0020_3" src="cid:image002.png@01D051A1.C24A2D10" alt="https://brandtools.microsoft.com/Style%20Library/BT/Images/MicrosoftMasterLogo.png"></span></a><o:p></o:p></p></td></tr></table><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro"'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> <a href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a> <a href="mailto:[mailto:i-barreira@izenpe.net]">[mailto:i-barreira@izenpe.net]</a> <br><b>Sent:</b> Tuesday, February 10, 2015 3:09 AM<br><b>To:</b> Jody Cloutier; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> RE: [cabfpub] Baseline requirements for codesigning - Feb 4 2015.doc<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Hi Jody,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Regarding your comment on ETSI audits, I have to say that the ETSI audits shall be performed by accredited auditors as mentioned in Annex E of the current ETSI TS 102 042. ETSI audits performed by not accredited auditors shall be considered invalid. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Microsoft is accepting ETSI audits since the very beginning in its root program requirements indicating this requirement. ETSI is providing a list of accredited auditors as mere information because has to be maintained by every NAB (National Accreditation Body).</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>It´s true that this has to be improved regarding the new regulation 910/2014 and the new ENs and will take some time, but at the moment, it´s clearly stated that the audits shall be performed by accredited auditors.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Don´t hesitate in contacting me for any additional information or help. Sometimes I´ve received some emails from Tom or Kelvin asking for the qualification of some audits, so, as say, you can contact me regarding this issue.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Regards</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='line-height:9.75pt'><b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif";color:black'>Iñigo Barreira</span></b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif";color:black'><br>Responsable del Área técnica<br><a href="mailto:i-barreira@izenpe.net"><span style='color:blue'>i-barreira@izenpe.net</span></a></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif";color:black'>945067705</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=ES-TRAD style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><img border=0 width=585 height=111 id="_x0000_i1027" src="cid:image001.png@01D051A1.C24A2D10" alt="Descripción: cid:image001.png@01CE3152.B4804EB0"></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='line-height:9.75pt'><span style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'>ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!</span><span style='color:#888888;mso-fareast-language:ES-TRAD'><br></span><span style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'>ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.</span><span lang=EN-US><o:p></o:p></span></p></div><p class=MsoNormal><span style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>De:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>En nombre de </b>Jody Cloutier<br><b>Enviado el:</b> lunes, 09 de febrero de 2015 18:55<br><b>Para:</b> CABFPub (<a href="mailto:public@cabforum.org">public@cabforum.org</a>)<br><b>Asunto:</b> [cabfpub] Baseline requirements for codesigning - Feb 4 2015.doc</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal> <span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Segoe Pro"'>Microsoft comments on Section 17. </span><span lang=EN-US><o:p></o:p></span></p></div></body></html>