
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Apr 16, 2018, at 7:21 AM, Ryan Sleevi via Public <<a href="mailto:public@cabforum.org" class="">public@cabforum.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div dir="ltr" class=""><br class=""><div class="gmail_extra"><br class=""><div class="gmail_quote">On Sun, Apr 15, 2018 at 2:18 AM, Dimitris Zacharopoulos via Public <span dir="ltr" class=""><<a href="mailto:public@cabforum.org" target="_blank" class="">public@cabforum.org</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

  
  <div text="#000000" bgcolor="#FFFFFF" class="">

    <br class="">

    I am looking for two endorsers for the following ballot.<br class="">

    <br class="">

    Dimitris.<br class="">

    <br class=""><p class="m_-1167569698070291640line867"><strong class="">Ballot XXX - Update Section 8.4 for CA

        audit criteria</strong> <span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-3"></span><span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-4"></span></p><p class="m_-1167569698070291640line874">The following motion has been proposed by

      Dimitris Zacharopoulos of HARICA and endorsed by ___ and ___<span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-5"></span></p><p class="m_-1167569698070291640line867"><strong class="">Background</strong>: <span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-7"></span><span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-8"></span></p><p class="m_-1167569698070291640line874">Section 8.4 of the Baseline Requirements

      describes the audit criteria for CAs that issue Publicly-Trusted

      SSL/TLS Certificates. This ballot attempts to achieve two things:

      <span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-9"></span><span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-10"></span></p>

    <ol type="1" class="">

      <li class="">Remove the old ETSI TS documents <span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-11"></span></li>

      <li class=""><p class="m_-1167569698070291640line862">Align the <a class="m_-1167569698070291640nonexistent" href="https://www.cabforum.org/wiki/WebTrust" target="_blank">WebTrust</a>

          and ETSI requirements <span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-12"></span><span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-13"></span><span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-14"></span></p>

      </li>

    </ol><p class="m_-1167569698070291640line862">"<a class="m_-1167569698070291640nonexistent" href="https://www.cabforum.org/wiki/WebTrust" target="_blank">WebTrust</a> for

      Certification Authorities" is equivalent to "ETSI EN 319 401" and

      "<a class="m_-1167569698070291640nonexistent" href="https://www.cabforum.org/wiki/WebTrust" target="_blank">WebTrust</a>

      Principles and Criteria for Certification Authorities – SSL

      Baseline with Network Security" is the equivalent of "ETSI EN 319

      411-1". <span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-15"></span><span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-16"></span></p><p class="m_-1167569698070291640line867"><strong class="">-- MOTION BEGINS --</strong> <span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-17"></span><span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-18"></span></p><p class="m_-1167569698070291640line874">Replace the first two numbered items in section

      8.4 of the Baseline Requirements <span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-19"></span>from: <span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-20"></span><span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-21"></span></p>

    <ol type="1" class="">

      <li class=""><p class="m_-1167569698070291640line891"><a class="m_-1167569698070291640nonexistent" href="https://www.cabforum.org/wiki/WebTrust" target="_blank">WebTrust</a>

          for Certification Authorities v2.0; <span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-22"></span></p>

      </li>

      <li class="">A national scheme that audits conformance to ETSI TS 102 042 /

        ETSI EN 319 411-1; or <span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-23"></span><span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-24"></span></li>

    </ol><p class="m_-1167569698070291640line874">to: <span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-25"></span><span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-26"></span></p>

    <ol type="1" class="">

      <li class=""><p class="m_-1167569698070291640line891"><a class="m_-1167569698070291640nonexistent" href="https://www.cabforum.org/wiki/WebTrust" target="_blank">WebTrust</a>

          Principles and Criteria for Certification Authorities – SSL

          Baseline with Network Security; <span class="m_-1167569698070291640anchor" id="m_-1167569698070291640line-27"></span></p>

      </li>

      <li class="">A national scheme that audits conformance to ETSI EN 319

        411-1; or</li></ol></div></blockquote><div class=""><br class=""></div><div class="">As noted several times that this has come up in the past, your proposed change to #1 is meaningfully and substantially different than what is currently required. You are proposing *changing* the audit scheme to a more restrictive set. That's something in the past that browsers have objected to, and for good reason.</div></div></div></div></div></blockquote><br class=""></div><div>I agree with Ryan.  Based on your description, Dimitris, of the alignment between WebTrust and ETSI, it seems that the appropriate change is to require WebTrust for CA v2.1 or a national scheme that audits conformance to ETSI EN 319 401 V2.1.1.</div><div><br class=""></div><div>Thanks,</div><div>Peter</div></body></html>