<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 29/11/2016 9:10 πμ, Miskovic Peter
via Public wrote:<br>
</div>
<blockquote
cite="mid:99f765972c7b440c8e552b4cb2d3f85b@DISIGEX.disig.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma",sans-serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma",sans-serif;
color:black;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext;mso-fareast-language:EN-US"
lang="EN-US">Hi Richard,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext;mso-fareast-language:EN-US"
lang="EN-US">according my opinion this is true only for
those audits which TSP shall provide for the supervisory
body (eIDAS Regulation Article 17) at least every 24 month.
Mozilla is not such supervisory body so it’s on their
decision what will be accepted. I agree with Inigo and
Moudrick that the July 1, 2017 is reasonable date because at
June 30, 2017 ends transitional measure (eIDAS Regulation,
Artice 51 (3)) for submitting conformity assessment report
to the supervisory body according eIDAS regulation. So all
EU TSP which are qualified TSP now due the transitional
measure (eIDAS Regulation, Artice 51 (3)) still has a time
to wait with such type of audit. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext;mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext;mso-fareast-language:EN-US"
lang="EN-US">Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext;mso-fareast-language:EN-US"
lang="EN-US">Peter
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
<br>
I agree with Peter Μ.,<br>
<br>
If a TSP wants to only issue SSL certificates, the supervisory body
and eIDAS is out of the picture. I assume Mozilla is only interested
in seeing an audit report against ETSI EN 319 411-1 from an
accredited Conformance Accreditation Body (CAB). <br>
<br>
Now, the problem most EU Member States are facing even today (as
many delegates have stated several times already) is that most
National Accreditation Bodies (NABs) haven't completed the ETSI EN
319 403 accreditation process for CABs. This leaves only a very few
CABs accredited for the new scheme. Even today, the ACAB-c list only
two CABs <a href="http://www.acab-c.com/accredited-bodies/">http://www.acab-c.com/accredited-bodies/</a>
(LSTI, France and TUV-IT, Germany). There may be more but one would
have to look at the web site of each Member State's NAB.<br>
<br>
We do hope that more CABs will have completed their accreditation
process by July 2017 but what if the NABs require more time? In the
<a href="https://cabforum.org/2016/05/25/2016-05">Bilbao F2F meeting</a>,
I recall discussing that one of the main differences between the TS
102 042 and EN 319 411-1 in terms of auditing, is the auditor
accreditation scheme. In EN 319 411-1, the auditor's base
accreditation scheme is ISO 17065 and there are many CABs already
accredited for that. The main problem for NABs is the lack of
criteria for CAB accreditation against ETSI EN 319 403 on top of ISO
17065. There may be a transitional period where an ISO 17065 CAB
accreditation is sufficient to audit against EN 319-411-1 until more
NABs establish criteria for accreditation with EN 319 403.<br>
<br>
Dimitris.<br>
<br>
<br>
<blockquote
cite="mid:99f765972c7b440c8e552b4cb2d3f85b@DISIGEX.disig.local"
type="cite">
<div class="WordSection1">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"
lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"
lang="EN-US"> Public
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>tScheme Technical Manager via
Public<br>
<b>Sent:</b> Tuesday, November 29, 2016 12:59 AM<br>
<b>To:</b> 'Moudrick M. Dadashov' <a class="moz-txt-link-rfc2396E" href="mailto:md@ssc.lt"><md@ssc.lt></a>;
'CA/Browser Forum Public Discussion List'
<a class="moz-txt-link-rfc2396E" href="mailto:public@cabforum.org"><public@cabforum.org></a><br>
<b>Cc:</b> tScheme Technical Manager
<a class="moz-txt-link-rfc2396E" href="mailto:richard.trevorah@tScheme.org"><richard.trevorah@tScheme.org></a><br>
<b>Subject:</b> Re: [cabfpub] When to stop accepting old
ETSI audits?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"
lang="EN-GB">That is certainly true in some Member States
(UK included) but is doesn’t alter fact that eIDAS came into
force on 1<sup>st</sup> July 2016 and any Conformity
Assessment Report submitted after that date would have to
demonstrate compliance with the eIDAS regulation – and the
old ETSI TS are not sufficient for that purpose.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"
lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"
lang="EN-GB">However, I believe that some MS have produced
their Supervisory Body requirements (e.g. LU, MT & SE)
and there are also some very detailed guidelines being
drafted by ENISA that can be viewed at <a
moz-do-not-send="true"
href="https://www.enisa.europa.eu/topics/trust-services/guidelines/">
https://www.enisa.europa.eu/topics/trust-services/guidelines/</a><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"
lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"
lang="EN-GB">Cheers<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"
lang="EN-GB">Richard<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt" lang="EN-GB">------------------------------------<br>
Richard Trevorah<br>
Technical Manager<br>
tScheme Limited<br>
<br>
M: +44 (0) 781 809 4728<br>
F: +44 (0) 870 005 6311<br>
<br>
</span><span style="color:#1F497D" lang="EN-GB"><a
moz-do-not-send="true" href="http://www.tscheme.org"
target="_blank">http://www.tscheme.org</a><br>
</span><span lang="EN-GB">------------------------------------<br>
<br>
The information in this message and, if present, any
attachments are intended solely for the attention and use of
the named addressee(s). The content of this e-mail and its
attachments is confidential and may be legally privileged.
Unless otherwise stated, any use or disclosure is
unauthorised and may be unlawful.<br>
<br>
If you are not the intended recipient, please delete the
message and any attachments and notify the sender as soon as
practicable</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"
lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"
lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"
lang="EN-GB"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:windowtext"
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:windowtext"
lang="EN-US"> Moudrick M. Dadashov [<a
moz-do-not-send="true" href="mailto:md@ssc.lt">mailto:md@ssc.lt</a>]
<br>
<b>Sent:</b> 28 November 2016 23:33<br>
<b>To:</b> tScheme Technical Manager; 'CA/Browser Forum
Public Discussion List'<br>
<b>Subject:</b> Re: [cabfpub] When to stop accepting old
ETSI audits?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-family:"Cambria",serif" lang="EN-GB">Indeed,
Richard, but unfortunately what used to be a single step
(audit) now needs two steps - the TSPs need to meet also the
[non-existing] supervisor requirements.<br>
<br>
Thanks,<br>
M.D. </span><span lang="EN-GB"><o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-GB">On 11/29/2016 1:05 AM,
tScheme Technical Manager wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"
lang="EN-GB">Technically, eIDAS gave July 2016 as the
cutoff but allowed one year for transition. However, it
states that any audits after July 2016 must use new
requirements.</span><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"
lang="EN-GB"> </span><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"
lang="EN-GB">Cheers</span><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"
lang="EN-GB">Richard</span><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt"
lang="EN-GB">------------------------------------<br>
Richard Trevorah<br>
Technical Manager<br>
tScheme Limited<br>
<br>
M: +44 (0) 781 809 4728<br>
F: +44 (0) 870 005 6311<br>
<br>
</span><span style="color:#1F497D" lang="EN-GB"><a
moz-do-not-send="true" href="http://www.tscheme.org"
target="_blank">http://www.tscheme.org</a><br>
</span><span lang="EN-GB">------------------------------------<br>
<br>
The information in this message and, if present, any
attachments are intended solely for the attention and use
of the named addressee(s). The content of this e-mail and
its attachments is confidential and may be legally
privileged. Unless otherwise stated, any use or disclosure
is unauthorised and may be unlawful.<br>
<br>
If you are not the intended recipient, please delete the
message and any attachments and notify the sender as soon
as practicable<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"
lang="EN-GB"> </span><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"
lang="EN-GB"> </span><span lang="EN-GB"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:windowtext"
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:windowtext"
lang="EN-US"> Public [<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Moudrick M. Dadashov via Public<br>
<b>Sent:</b> 28 November 2016 22:59<br>
<b>To:</b> CA/Browser Forum Public Discussion List<br>
<b>Cc:</b> Moudrick M. Dadashov<br>
<b>Subject:</b> Re: [cabfpub] When to stop accepting
old ETSI audits?</span><span lang="EN-GB"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-family:"Cambria",serif" lang="EN-GB">Yes,
July 2017 is reasonable - the new ones require extra
bureaucracy with the supervisors.<br>
<br>
Thanks,<br>
M.D. </span><span lang="EN-GB"><o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-GB">On 11/28/2016 3:44
PM, Gervase Markham via Public wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre><span lang="EN-GB">Dear CAB Forum members,<o:p></o:p></span></pre>
<pre><span lang="EN-GB"> <o:p></o:p></span></pre>
<pre><span lang="EN-GB">Ballot 171, passed on 1st July 2016, updated the BRs to remove the old<o:p></o:p></span></pre>
<pre><span lang="EN-GB">ETSI criteria (ETSI TS 101 456 V1.4.3 or ETSI TS 102 042 V2.3.1) and add<o:p></o:p></span></pre>
<pre><span lang="EN-GB">the new ones (ETSI EN 319 411-1 v1.1.1 or ETSI EN 319 411-2 v2.1.1).<o:p></o:p></span></pre>
<pre><span lang="EN-GB">This change was made in BRs v.1.3.6. However, no dates were associated<o:p></o:p></span></pre>
<pre><span lang="EN-GB">with the change.<o:p></o:p></span></pre>
<pre><span lang="EN-GB"> <o:p></o:p></span></pre>
<pre><span lang="EN-GB">Mozilla CA Policy 2.3 (about to be published) permits either set of<o:p></o:p></span></pre>
<pre><span lang="EN-GB">criteria to be used.<o:p></o:p></span></pre>
<pre><span lang="EN-GB"> <o:p></o:p></span></pre>
<pre><span lang="EN-GB">By what date would it be reasonable for Mozilla to require that all new<o:p></o:p></span></pre>
<pre><span lang="EN-GB">ETSI audits use the new criteria?<o:p></o:p></span></pre>
<pre><span lang="EN-GB"> <o:p></o:p></span></pre>
<pre><span lang="EN-GB">Inigo says that eIDAS (which, of course, refers only to the issuance of<o:p></o:p></span></pre>
<pre><span lang="EN-GB">Qualified certificates) have specified July 2017 as the end date for the<o:p></o:p></span></pre>
<pre><span lang="EN-GB">old criteria. Would that be a reasonable choice?<o:p></o:p></span></pre>
<pre><span lang="EN-GB"> <o:p></o:p></span></pre>
<pre><span lang="EN-GB">Gerv<o:p></o:p></span></pre>
<pre><span lang="EN-GB">_______________________________________________<o:p></o:p></span></pre>
<pre><span lang="EN-GB">Public mailing list<o:p></o:p></span></pre>
<pre><span lang="EN-GB"><a moz-do-not-send="true" href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></span></pre>
<pre><span lang="EN-GB"><a moz-do-not-send="true" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></span></pre>
</blockquote>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>