<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Texto de globo Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EstiloCorreo17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.TextodegloboCar
{mso-style-name:"Texto de globo Car";
mso-style-priority:99;
mso-style-link:"Texto de globo";
font-family:"Tahoma","sans-serif";
mso-fareast-language:ES;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="ES" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Ryan,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">A CA that wants to issue EV certs need to be audited against 411-1 for the EVCP policy and that implies that also have to “pass” the 401, which
is the generic for all type of TSPs and include for example all the network security requirements specified by the CAB Forum.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">If a CA wants to issue QWACs, have to be audited against 411-2 for the QCPw policy, which takes by reference the 411-1 and also the 401. This is
something similar of what Webtrust does if you feel more confortable.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">And, yes, a CA that is audited under 411-2 for QCPw should have no problem to also get audited in 411-1 for the EVCP, but that´s a business decision.
It does not mean that a CA that is audited under 411-2 for QCPw automatically grants the 411-1 for the EVCP. The CA has to have two different policies with different certificate profiles, etc. and above all, follow the law. The 411-1 is only for public key
certificates and it incorporates all the requirements of the CABF BRs and EVs, but the 411-2 is for issuing EU qualified certificates, and has to follow the eIDAS regulation, and can be “used” by EU QTSPs.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">For example, Izenpe, is going to get audited against 411-1 for the DV, OV and EV policies and also against 411-2 for the QCPw policy. If we had
the intention of only issue QCs because as EU CA can make it, then, we´ll have only the 411-2 and that does not mean that, even 411-2 for QCPw uses mostly of the requirements of the EVCP in 411-1, I can issue EV certs. So, a CA that want to issue EV certs
has to be audited against 411-1, a CA that want to issue EV and QCPW has to be audited against 411-1 and 411-2, and if only wants to issue QCPw, then only 411-2 which in any case will have to follow what everything that is stated in 401 and 411-1.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">OTOH, I´d like to clarify that Webtrust is one thing and ETSI is another one, and you all can´t compare all the time or try to “understand” what
ETSI does on the way Webtrust does. But in any case, at the end, both schemes check/assess the same things.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">And for the particular case of the EU qualified certs, the only standard applicable is the 411-2, Webtrust is not even recognized in the eIDAS
regulation. So if a non EU CA wants to issue QCPw it has to follow what the 411-2 says, which by default, will look at 411-1 and 401. And above all, is the law, so it´s not only to meet the technical stuff but also all the articles of the law and to be tied
what is stated there, and for example, for an American company, well, there´s an article of signing a bilateral agreement, etc. Of course, Andrea mentioned some shortcuts, but there´s a law to follow, and that´s 411-1. So even in this particular case, EVCP
vs QCPw, are very similar technically, there are some other legal implications. <o:p>
</o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">And finally, the intention of this ballot is just to replace an obsolete ETSI standard for the newest one which includes all CABF requirements
and provides a better clarification on the audit stuff which was the major concern during the past 2 years for the browsers. If there´s a specific point that needs to clarify just let me know and we can rephrase it to make it clear.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="line-height:9.75pt"><b><span lang="ES-TRAD" style="font-size:8.5pt;font-family:"Tahoma","sans-serif";color:black">Iñigo Barreira</span></b><span lang="ES-TRAD" style="font-size:8.5pt;font-family:"Tahoma","sans-serif";color:black"><br>
Responsable del Área técnica<br>
<a href="mailto:i-barreira@izenpe.eus">i-barreira@izenpe.eus</a> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES-TRAD" style="font-size:8.5pt;font-family:"Tahoma","sans-serif";color:black">945067705</span><span lang="ES-TRAD" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES-TRAD" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:navy"><img border="0" width="589" height="99" id="Imagen_x0020_1" src="cid:image001.jpg@01D1C620.C3CCFF60" alt="Descripción: firma_email_Izenpe_eus"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES-TRAD" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="line-height:9.75pt"><span style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD">ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea.
Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#888888;mso-fareast-language:ES-TRAD"><br>
</span><span style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD">ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe
por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.</span><span style="font-family:"Calibri","sans-serif";color:navy;mso-fareast-language:ES-TRAD"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">De:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Ryan Sleevi [mailto:sleevi@google.com]
<br>
<b>Enviado el:</b> lunes, 13 de junio de 2016 14:57<br>
<b>Para:</b> Barreira Iglesias, Iñigo<br>
<b>CC:</b> public@cabforum.org<br>
<b>Asunto:</b> Re: [cabfpub] RV: [cabfman] Ballot 171? for updating the ETSI standards in the CABF documents<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Mon, Jun 13, 2016 at 12:40 AM, Barreira Iglesias, Iñigo <<a href="mailto:i-barreira@izenpe.eus" target="_blank">i-barreira@izenpe.eus</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Inigo,<o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I'm not sure how this is meaningfully different than how we handle EV audits, which root stores also require the BR audits.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Same here</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This doesn't answer the question, and I have no clue what you're trying to say.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I've reviewed 411-1 and 411-2, and the outstanding question you didn't answer is what prevents a CA from getting audited under EVCP when getting a QCP-w audit.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">A CA can issue an EV when passes 411-1 under EVCP policy. To get a QCPw, the CA has
to pass the 411-2</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">That's not what I'm asking about.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">To get QCP-w, a CA has to pass 411-2. Yes, 411-2 tries to incorporate by reference, where applicable, 411-1. What I'm specifically asking is if a CA has to get/pass 411-2, why can they not get audited, at the same time, to 411-1 under EVCP?
What prevents this?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Under the WebTrust schemes, as practiced by root stores, a CA wishing to be audited under WebTrust for CAs also gets audited under WebTrust for BRs and WebTrust. That is, three audits. (The notion of an EV-only CA is not made by root stores
that I'm aware of, since to issue EV they necessarily are trusted to issue TLS).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">As a root store, there's zero interest in understanding or recognizing QCP-w. So if a CA wants to be recognized as EV, it would need to present a 411-1 EVCP audit. My understanding is that a CA getting a 411-2 QCPw audit should have no
trouble getting a 411-1 EVCP audit, and then there's no ambiguity that the CA is conforming to 411-1 EVCP. Why doesn't that work? <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>