<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jan 24, 2019 at 2:30 PM Dimitris Zacharopoulos (HARICA) via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<br>
<br>
<div class="gmail-m_7363109640286725785moz-cite-prefix">On 24/1/2019 8:16 μ.μ., Wayne Thayer
via Public wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div>On today's call we discussed a number of changes to the
bylaws aimed at clarifying the rules for membership. The
proposal for section 2.1(a)(1) resulting from today's
discussion is:</div>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Certificate Issuer: The
member organization operates a certification authority that
has a publicly-available audit report or attestation
statement that meets the following requirements:<br>
* Is based on the full, current version of the WebTrust for
CAs, ETSI EN 319 411-1 , or ETSI EN 319 411-2 audit criteria<br></blockquote></div></div></blockquote></div></blockquote><div>Using the example reports for discussion ( <a href="http://www.webtrust.org/practitioner-qualifications/docs/item85808.pdf">http://www.webtrust.org/practitioner-qualifications/docs/item85808.pdf</a> )</div><div><br></div><div>If a CA does not escrow CA keys, does not provide subscriber key generation services, or suspension services, does that count as being based on the "full, current version"? (Page 11, paragraph 2)</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF"><blockquote type="cite"><div dir="ltr"><div dir="ltr"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
* Covers a period of at least 60 days<br></blockquote></div></div></blockquote></div></blockquote><div>I'm curious for feedback from the ETSI folks, but perhaps a more inclusive definition would be</div><div>- "Reports on the operational effectiveness of controls for a historic period of at least 60 days"</div><div><br></div><div>The context being that ETSI is a certification scheme, but as part of that certification, the CAB "may" ("should") examine the historic evidence for some period of time. 7.9 of 319 403 only requires "since the previous audit"</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF"><blockquote type="cite"><div dir="ltr"><div dir="ltr"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
* Covers a period that ends within the past 15 months<br></blockquote></div></div></blockquote></div></blockquote><div>This may also be resting on the BR definition of Audit Period. I can see similar ambiguities arising with respect to ETSI and that its certification decisions last two years, not one, thus it might cause a CA to believe that they have up to three years from first completing their audit (that is, if the letter is issued at T=2 years, covering T=0 to T=2, and is valid to T=4 years, then the CA may believe it's covered until T=5 years and 3 months)</div><div><br></div><div>There's also the potential of surveillance audits conducted over specific issues being resolved, without being a full recertification (e.g. if the CAB classified it as a minor non-conformity)</div><div><br></div><div>"With no more than 27 months having elapsed since the beginning of the reported-on period and no more than 15 months since the end of the reported-on period"</div><div><br></div><div>It's a mouthful, but perhaps there's a more concise way to capture that unambiguously.</div></div></div>