<div dir="ltr">Inigo,<div><br></div><div>The point is that the Baseline Requirements should make it clearer that conformance to the BRs requires an annual (full) audit, as discussed by Jody and I. The proposed change is to Section 8.2 of the BRs to make it explicit that the annual surveillance audit, as required by eIDAS, is insufficient, and that a full audit to the relevant ETSI standards is necessary.</div><div><br></div><div>This doesn't change eIDAS. It doesn't change the ETSI standards. But it does define, clearly, what conformance to the Baseline Requirements means. The Baseline Requirements already defines the audit period as 1 year (see Section 8.1) - Dean was pointing out that if we want to make the Baseline Requirements' clearer, and reflecting what trust stores already expect, then we'd need a ballot to change the wording in 8.2 to provide that clarity.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jun 2, 2016 at 3:56 AM, Barreira Iglesias, Iñigo <span dir="ltr"><<a href="mailto:i-barreira@izenpe.eus" target="_blank">i-barreira@izenpe.eus</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="white" lang="ES" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Not sure what you mean. There´s no change nor in any ETSI standards nor in eIDAS, what it was suggested was than instead of applying what eIDAS
indicates of a maximum of 2 years with annual surveillance audits, applying full yearly audits for the CABF, so this is also according to eIDAS and then I think there´s nothing to vote here. The idea is that the TSPs shall follow the browser requirements independently
of using Webtrust or ETSI audits and these have to be aware by their CABs. And the ACABc is trying to make this resolution public.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">De:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Dean Coclin [mailto:<a href="mailto:Dean_Coclin@symantec.com" target="_blank">Dean_Coclin@symantec.com</a>]
<br>
<b>Enviado el:</b> domingo, 29 de mayo de 2016 2:33<br>
<b>Para:</b> Barreira Iglesias, Iñigo; tScheme Technical Manager; <a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a></span></p><div><div class="h5"><br>
<b>Asunto:</b> RE: [cabfpub] RV: Text for ETSI Audit in CAB Forum baseline<u></u><u></u></div></div><p></p>
</div>
</div><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">As you know, changing this will require discussion and a ballot. Who will drive that? Inigo?<br>
<br>
Thanks,<br>
Dean<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org" target="_blank">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Barreira Iglesias, Iñigo<br>
<b>Sent:</b> Thursday, May 26, 2016 9:27 AM<br>
<b>To:</b> tScheme Technical Manager <<a href="mailto:richard.trevorah@tScheme.org" target="_blank">richard.trevorah@tScheme.org</a>>;
<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] RV: Text for ETSI Audit in CAB Forum baseline<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black">Richard,<u></u><u></u></span></p>
<p><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"> <u></u><u></u></span></p>
<p><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black">yesterday was agreed to have full audits yearly to meet browser requirements. So even eIDAS says the 2 years audit with anual surveillance audits, it was decided to change to yearly
full audits, and that´s what the text from Nick reflects.<u></u><u></u></span></p>
<p><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black">This is in the CABF documents affecting the SSL certificates at the moment.<u></u><u></u></span></p>
<div>
<div class="MsoNormal" align="center" style="text-align:center"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#212121">
<hr size="2" width="98%" align="center">
</span></div>
<div>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">De:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"> tScheme Technical Manager <<a href="mailto:richard.trevorah@tScheme.org" target="_blank">richard.trevorah@tScheme.org</a>><br>
<b>Enviado:</b> jueves, 26 de mayo de 2016 9:50<br>
<b>Para:</b> Barreira Iglesias, Iñigo; <a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a><br>
<b>Asunto:</b> RE: [cabfpub] RV: Text for ETSI Audit in CAB Forum baseline</span><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#212121">
<u></u><u></u></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#212121"> <u></u><u></u></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">My only comment on Nick’s proposal is on frequency.</span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">In Mr Wanko’s presentation he has:</span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-size:11.0pt;color:#1f497d">“</span><b><span lang="EN-US" style="font-size:16.0pt;color:#505050">7.4.6 Audit Frequency
</span></b><span lang="EN-US"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-size:16.0pt;font-family:Wingdings;color:#c00000">§</span><i><span lang="EN-US" style="font-size:16.0pt">There shall be a period of no greater than
</span></i><b><i><span lang="EN-US" style="font-size:16.0pt;color:red">two years </span>
</i></b><i><span lang="EN-US" style="font-size:16.0pt">for a full (re-)assessment audit unless otherwise required by the […] commercial scheme applying the present document.
</span></i><span lang="EN-US"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-size:16.0pt"> </span><span lang="EN-US"><u></u><u></u></span></p>
<p><b><span lang="EN-US" style="font-size:16.0pt;color:#505050">7.9 Surveillance
</span></b><span lang="EN-US"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-size:16.0pt;font-family:Wingdings;color:#c00000">§</span><i><span lang="EN-US" style="font-size:16.0pt">[…] It is recommended that at least
</span></i><b><i><span lang="EN-US" style="font-size:16.0pt;color:red">one surveillance audit per year
</span></i></b><i><span lang="EN-US" style="font-size:16.0pt">is performed in between full (re-)assessment audits.
</span></i><span lang="EN-US" style="font-size:11.0pt;color:#1f497d">”</span><span lang="EN-US"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-size:11.0pt;color:#1f497d"> </span><span lang="EN-US"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-size:11.0pt;color:#1f497d">Which I think captures the eIDAS regulation rather than Nick’s proposal for a full audit annually, so I would change the final sentence to:</span><span lang="EN-US"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">“</span><span lang="EN-US" style="font-size:10.0pt;font-family:TimesNewRomanPSMT;color:#212121">Full audits against the ETSI standards shall
be carried out at least every two years and there should be at least one surveillance audit per year between full audits.
</span><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">”</span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Regards</span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Richard</span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;color:black">------------------------------------<br>
Richard Trevorah<br>
Technical Manager<br>
tScheme Limited<br>
<br>
M: <a href="tel:%2B44%20%280%29%20781%20809%204728" value="+447818094728" target="_blank">+44 (0) 781 809 4728</a><br>
F: <a href="tel:%2B44%20%280%29%20870%20005%206311" value="+448700056311" target="_blank">+44 (0) 870 005 6311</a><br>
<br>
</span><span lang="EN-US" style="color:#1f497d"><a href="http://www.tscheme.org" target="_blank">http://www.tscheme.org</a><br>
</span><span lang="EN-US" style="color:black">------------------------------------<br>
<br>
The information in this message and, if present, any attachments are intended solely for the attention and use of the named addressee(s). The content of this e-mail and its attachments is confidential and may be legally privileged. Unless otherwise stated,
any use or disclosure is unauthorised and may be unlawful.<br>
<br>
If you are not the intended recipient, please delete the message and any attachments and notify the sender as soon as practicable</span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#212121"> </span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<div>
<div style="border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0cm 0cm 0cm;border-color:currentColor currentColor">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#212121">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#212121">
<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org" target="_blank">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Barreira Iglesias, Iñigo<br>
<b>Sent:</b> 26 May 2016 08:14<br>
<b>To:</b> <a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a><br>
<b>Subject:</b> [cabfpub] RV: Text for ETSI Audit in CAB Forum baseline</span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US" style="color:#212121"> <u></u><u></u></span></p>
<div>
<div class="MsoNormal" align="center" style="text-align:center"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#212121">
<hr size="2" width="98%" align="center">
</span></div>
<div>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">De:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"> Inigo Barreira <<a href="mailto:inigo_barreira@hotmail.com" target="_blank">inigo_barreira@hotmail.com</a>><br>
<b>Enviado:</b> jueves, 26 de mayo de 2016 9:12<br>
<b>Para:</b> Barreira Iglesias, Iñigo<br>
<b>Asunto:</b> FW: Text for ETSI Audit in CAB Forum baseline</span><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#212121">
</span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#212121"> </span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#212121"><br>
</span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<div>
<div class="MsoNormal" align="center" style="text-align:center"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#212121">
<hr size="2" width="100%" align="center">
</span></div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#212121">From:
<a href="mailto:nick.pope@thales-esecurity.com" target="_blank">nick.pope@thales-esecurity.com</a><br>
To: <a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a><br>
CC: <a href="mailto:c.wanko@tuvit.de" target="_blank">c.wanko@tuvit.de</a>; <a href="mailto:atrotin@exchange.lsti.fr" target="_blank">
atrotin@exchange.lsti.fr</a>; <a href="mailto:pbouchet@exchange.lsti.fr" target="_blank">pbouchet@exchange.lsti.fr</a>;
<a href="mailto:inigo_barreira@hotmail.com" target="_blank">inigo_barreira@hotmail.com</a><br>
Date: Wed, 25 May 2016 16:13:19 +0100<br>
Subject: Text for ETSI Audit in CAB Forum baseline</span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<div>
<p><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#0070c0">All,</span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#0070c0"> </span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#0070c0">Following on from my presentation today on the latest ETSI standards and that of the ACAB’c I would suggest that the CABF baseline requirements section 8.2 item
on audits against ETSI standards is replaced with the following. I ask my EU colleagues to come with in any further suggestions.</span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#0070c0"> </span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-size:10.0pt;font-family:TimesNewRomanPSMT;color:#212121">4. For audits conducted in accordance with any one of the ETSI standards, conformity assessment bodies accredited in accordance with ISO 17065 applying
the requirements specified in EN 319 403. Full audits against the ETSI standards shall be carried out annually.
</span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-size:10.0pt;font-family:TimesNewRomanPSMT;color:#212121"> </span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-size:10.0pt;font-family:TimesNewRomanPSMT;color:#212121">Elsewhere replace reference to TS 102 042 with EN 319 411-1.</span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#212121"> </span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#0070c0">Thanks for the interesting discussions today.</span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#0070c0"> </span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#0070c0">Nick</span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#212121"> </span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d">Nick Pope CITP, CISSP<br>
<b>THALES</b> </span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d">Principal Consultant, Advanced Solutions Group EMEA</span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d">Vice chair – ETSI Technical Committee on Electronic Signatures and Infrastructures</span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d"><br>
Meadow View House, Long Crendon, AYLESBURY, HP18 9EQ, UK<br>
</span><span lang="EN-US" style="font-size:8.0pt;font-family:"Calibri","sans-serif";color:#212121"><a href="http://www.thales-esecurity.com/" target="_blank"><span style="font-family:"Arial","sans-serif";color:#1f497d">www.thales-esecurity.com</span></a></span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d">Mob: <a href="tel:%2B44%20%280%29%207880%20787940" value="+447880787940" target="_blank">+44 (0) 7880 787940</a>, Tel: <a href="tel:%2B44%C2%A0%280%29%C2%A01844%20201800" value="+441844201800" target="_blank">+44 (0) 1844 201800</a> (General).
</span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d">email:
</span><span lang="EN-US" style="font-size:8.0pt;font-family:"Calibri","sans-serif";color:#212121"><a href="mailto:Nick.Pope@thales-esecurity.com" target="_blank"><span style="font-family:"Arial","sans-serif"">Nick.Pope@thales-esecurity.com</span></a></span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<p><span lang="EN-US" style="font-size:8.0pt;font-family:"Calibri","sans-serif";color:#212121"> </span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#212121"> </span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
<div class="MsoNormal" align="center" style="text-align:center"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:#212121">
<hr size="2" width="100%" align="center">
</span></div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray">Consider the environment before printing this mail.<br>
<br>
Thales UK Limited is incorporated in England and Wales with company registration number 00868273. Its registered office is located at 2 Dashwood Lang Road, The Bourne Business Park, Addlestone, Nr. Weybridge, Surrey KT15 2NX.<br>
<br>
The information contained in this e-mail is confidential. It may also be privileged. It is intended only for the stated addressee(s) and access to it by any other person is unauthorised. If you are not an addressee or the intended addressee, you must not disclose,
copy, circulate or in any other way use or rely on the information contained in this e-mail. Such unauthorised use may be unlawful. If you have received this e-mail in error, please inform us immediately on <a href="tel:%2B44%20%280%291844%20201800" value="+441844201800" target="_blank">+44 (0)1844 201800</a> and delete it and all copies from
your system. Commercial matters detailed or referred to in this e-mail are subject to a written contract signed for and on behalf of Thales UK Limited.</span><span lang="EN-US" style="color:#212121"><u></u><u></u></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div></div></div>
</div>
<br>_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
<br></blockquote></div><br></div>