<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 16/4/2018 5:57 μμ, Peter Bowen
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:8800B237-DBF3-43C0-9469-C9B8C2D6D1E2@amzn.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<br class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">On Apr 16, 2018, at 7:21 AM, Ryan Sleevi via
Public <<a href="mailto:public@cabforum.org" class=""
moz-do-not-send="true">public@cabforum.org</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8" class="">
<div dir="ltr" class=""><br class="">
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Sun, Apr 15, 2018 at 2:18
AM, Dimitris Zacharopoulos via Public <span dir="ltr"
class=""><<a href="mailto:public@cabforum.org"
target="_blank" class="" moz-do-not-send="true">public@cabforum.org</a>></span>
wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF" class=""> <br
class="">
I am looking for two endorsers for the following
ballot.<br class="">
<br class="">
Dimitris.<br class="">
<br class="">
<p class="m_-1167569698070291640line867"><strong
class="">Ballot XXX - Update Section 8.4 for
CA audit criteria</strong> <span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-3"></span><span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-4"></span></p>
<p class="m_-1167569698070291640line874">The
following motion has been proposed by Dimitris
Zacharopoulos of HARICA and endorsed by ___ and
___<span class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-5"></span></p>
<p class="m_-1167569698070291640line867"><strong
class="">Background</strong>: <span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-7"></span><span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-8"></span></p>
<p class="m_-1167569698070291640line874">Section
8.4 of the Baseline Requirements describes the
audit criteria for CAs that issue
Publicly-Trusted SSL/TLS Certificates. This
ballot attempts to achieve two things: <span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-9"></span><span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-10"></span></p>
<ol class="" type="1">
<li class="">Remove the old ETSI TS documents <span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-11"></span></li>
<li class="">
<p class="m_-1167569698070291640line862">Align
the <a
class="m_-1167569698070291640nonexistent"
href="https://www.cabforum.org/wiki/WebTrust" target="_blank"
moz-do-not-send="true">WebTrust</a> and
ETSI requirements <span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-12"></span><span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-13"></span><span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-14"></span></p>
</li>
</ol>
<p class="m_-1167569698070291640line862">"<a
class="m_-1167569698070291640nonexistent"
href="https://www.cabforum.org/wiki/WebTrust"
target="_blank" moz-do-not-send="true">WebTrust</a>
for Certification Authorities" is equivalent to
"ETSI EN 319 401" and "<a
class="m_-1167569698070291640nonexistent"
href="https://www.cabforum.org/wiki/WebTrust"
target="_blank" moz-do-not-send="true">WebTrust</a>
Principles and Criteria for Certification
Authorities – SSL Baseline with Network
Security" is the equivalent of "ETSI EN 319
411-1". <span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-15"></span><span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-16"></span></p>
<p class="m_-1167569698070291640line867"><strong
class="">-- MOTION BEGINS --</strong> <span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-17"></span><span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-18"></span></p>
<p class="m_-1167569698070291640line874">Replace
the first two numbered items in section 8.4 of
the Baseline Requirements <span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-19"></span>from:
<span class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-20"></span><span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-21"></span></p>
<ol class="" type="1">
<li class="">
<p class="m_-1167569698070291640line891"><a
class="m_-1167569698070291640nonexistent"
href="https://www.cabforum.org/wiki/WebTrust" target="_blank"
moz-do-not-send="true">WebTrust</a> for
Certification Authorities v2.0; <span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-22"></span></p>
</li>
<li class="">A national scheme that audits
conformance to ETSI TS 102 042 / ETSI EN 319
411-1; or <span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-23"></span><span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-24"></span></li>
</ol>
<p class="m_-1167569698070291640line874">to: <span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-25"></span><span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-26"></span></p>
<ol class="" type="1">
<li class="">
<p class="m_-1167569698070291640line891"><a
class="m_-1167569698070291640nonexistent"
href="https://www.cabforum.org/wiki/WebTrust" target="_blank"
moz-do-not-send="true">WebTrust</a>
Principles and Criteria for Certification
Authorities – SSL Baseline with Network
Security; <span
class="m_-1167569698070291640anchor"
id="m_-1167569698070291640line-27"></span></p>
</li>
<li class="">A national scheme that audits
conformance to ETSI EN 319 411-1; or</li>
</ol>
</div>
</blockquote>
<div class=""><br class="">
</div>
<div class="">As noted several times that this has
come up in the past, your proposed change to #1 is
meaningfully and substantially different than what
is currently required. You are proposing *changing*
the audit scheme to a more restrictive set. That's
something in the past that browsers have objected
to, and for good reason.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br class="">
</div>
<div>I agree with Ryan. Based on your description, Dimitris, of
the alignment between WebTrust and ETSI, it seems that the
appropriate change is to require WebTrust for CA v2.1 or a
national scheme that audits conformance to ETSI EN 319 401
V2.1.1.</div>
<div><br class="">
</div>
</blockquote>
<br>
Perhaps I missed that discussion but the intention here is to
include the superset of audit requirements for CAs that issue
Publicly-Trusted SSL/TLS Certificates . For example, ETSI EN 319
411-1 includes ETSI EN 319 401 as a prerequisite which is similar to
WebTrust for CAs v2. Are you saying that WebTrust for CAs SSL
Baseline with Network Security does not have WebTrust for CAs v2 as
a prerequisite?<br>
<br>
If that's the case, and if the Baseline Requirements apply to
SSL/TLS Certificates, then the logical requirement to make it
clearer would be:<br>
<ul>
<li>WebTrust for CAs + WebTrust for CAs SSL Baseline with Network
Security or;<br>
</li>
<li>ETSI EN 319 401 + ETSI EN 319 411-1</li>
</ul>
<p>Otherwise, if we only keep the WebTrust for CAs requirement as it
exists today, it would make more sense to require for ETSI EN 319
401 (as Peter suggested) instead of 411-1 which includes parts of
the baseline requirements and network security.<br>
</p>
Is there any compelling reason why we shouldn't require both?<br>
<br>
Peter, we could include version numbers and some language to state
"or newer", otherwise we might end up with out-of-date versions.
Also, I noticed that WebTrust provides guidance on which versions
should be used for which audit periods so there might be CAs audited
against v.2.0 and others against v2.1. <br>
<br>
<br>
Dimitris.<br>
<br>
<br>
<blockquote type="cite"
cite="mid:8800B237-DBF3-43C0-9469-C9B8C2D6D1E2@amzn.com">
<div>Thanks,</div>
<div>Peter</div>
</blockquote>
<br>
</body>
</html>