[cabfpub] Ballot 107 - Removing version numbers to WebTrust and ETSI standards from CABF Guidelines (EVG and BR)

[Ben Wilson]

Ballot 107 – Removing version numbers to WebTrust and ETSI standards from
CABF Guidelines (EVG and BR) 

Mads Henriksveen made the following motion, and iñigo Barreira from Izenpe,
and Kirk Hall from Trend Micro endorsed it: 

Motion Begins

EFFECTIVE IMMEDIATELY, in order to remove unnecessary specificity in the
Baseline Requirements (BRs), we propose that the following edits be made to
the BRs:  

In Document History, DELETE:  “and are currently in effect. See
http://www.webtrust.org/homepage-documents/item27839.aspx and also
http://www.etsi.org/deliver/etsi_ts/102000_102099/102042/02.03.01_60/ts_1020
42v020301p.pdf” as follows:

Document History 

Implementers’ Note: Version 1.1 of these SSL Baseline Requirements was
published on September 14, 2012. Version 1.1 of WebTrust’s SSL Baseline
Audit Criteria and ETSI Technical Standard Electronic Signatures and
Infrastructures (ESI) 102 042 version 2.3.1 incorporate version 1.1 of these
Baseline Requirements and are currently in effect. See
http://www.webtrust.org/homepage-documents/item27839.aspx and also
http://www.etsi.org/deliver/etsi_ts/102000_102099/102042/02.03.01_60/ts_1020
42v020301p.pdf. 

Section 3. References 

In Section 3 References, 

INSERT “119 403,” in between “ETSI TS” and “Electronic Signatures and
Infrastructures” and 

DELETE “available at:
http://www.etsi.org/deliver/etsi_ts/119400_119499/119403/01.01.01_60/ts_1194
03v010101p.pdf” as follows:

ETSI TS 119 403, Electronic Signatures and Infrastructures (ESI); Trust
Service Provider Conformity Assessment - General Requirements and Guidance
available at:
http://www.etsi.org/deliver/etsi_ts/119400_119499/119403/01.01.01_60/ts_1194
03v010101p.pdf 

DELETE “V2.1.1” as follows:

ETSI TS 102 042 V2.1.1, Electronic Signatures and Infrastructures (ESI);
Policy requirements for certification authorities issuing public key
certificates. 

DELETE “Version 2.0, available at
http://www.webtrust.org/homepage-documents/item27839.aspx” as follows:

WebTrust Program for Certification Authorities Version 2.0, available at
http://www.webtrust.org/homepage-documents/item27839.aspx. 

In Section 17.1 Eligible Audit Schemes,  DELETE “v.2.0” and in subsection 2.
DELETE “A national scheme that audits conformance to” as follows:

The CA SHALL undergo an audit in accordance with one of the following
schemes: 
1. WebTrust Program for Certification Authorities v2.0 audit; 
2. A national scheme that audits conformance to ETSI TS 102 042 audit
including DVCP, OVCP, EVCP or EVCP+; 
3. A scheme that audits conformance to ISO 21188:2006; or 
4. If a Government CA is required by its Certificate Policy to use a
different internal audit scheme, it MAY use such scheme provided that the
audit either (a) encompasses all requirements. 

AND EFFECTIVE IMMEDIATELY, in order to remove unnecessary specificity in the
EV Guidelines (EVGs) we propose that the following edits be made to the
EVGs:  

In Section 8.2.1 Implementation, DELETE “(ii)” and “V2.1.1” as follows: 

(B) Implement the requirements of (i) the then-current WebTrust Program for
CAs, and (ii) the then-current WebTrust EV Program or (ii) the then-current
ETSI TS 102 042 EV Certificate Policies (EVCP or EVCP+) V2.1.1; and 

In Section 8.2.2 Disclosure, DELETE “V.2.1.1” as follows: 

Each CA MUST publicly disclose their EV Policies through an appropriate and
readily accessible online means that is available on a 24x7 basis. The CA is
also REQUIRED to publicly disclose its CA business practices as required by
both WebTrust for CAs and ETSI TS 102 042 V2.1.1. The disclosures MUST be
structured in accordance with either RFC 2527 or RFC 3647. 

In Section 17.1 Eligible Audit Schemes, DELETE “V.2.1.1” as follows: 

A CA issuing EV Certificates SHALL undergo an audit in accordance with one
of the following schemes: 
(i) WebTrust Program for Certification Authorities audit and WebTrust EV
Program audit, or 
(ii) ETSI TS 102 042 v2.1.1 audit including EVCP or EVCP+. 

In subsection (2) of Section 17.4 Pre-Issuance Readiness Audit, DELETE
“V.2.1.1” as follows:

(2) If the CA has a currently valid ETSI 102 042 audit, then, before issuing
EV Certificates, the CA and its Root CA MUST successfully complete a
point-in-time readiness assessment audit against ETSI TS 102 042 V2.1.1 EVCP
or EVCP+. (3) If the CA does not have a currently valid WebTrust Seal of
Assurance for CAs or an ETSI 102 042 audit, then, before issuing EV
Certificates, the CA and its Root CA MUST successfully complete either: (i)
a point-in-time readiness assessment audit against the WebTrust for CA
Program, or (ii) a point-in-time readiness assessment audit against the
WebTrust EV Program, or an ETSI TS 102 042 V2.1.1. audit including EVCP or
EVCP+. 

The review period for this ballot shall commence at 2200 UTC on July 26th,
2013 and will close at 2200 UTC on August 2nd, 2013. Unless the motion is
withdrawn during the review period, the voting period will start immediately
thereafter and will close at 2200 UTC on August 9th, 2013. Votes must be
cast by posting an on-list reply to this thread. 

Motion Ends 

A vote in favor of the motion must indicate a clear 'yes' in the response. A
vote against must indicate a clear 'no' in the response. A vote to abstain
must indicate a clear 'abstain' in the response. Unclear responses will not
be counted. The latest vote received from any representative of a voting
member before the close of the voting period will be counted. Voting members
are listed here: http://www.cabforum.org/forum.html 

 

In order for the motion to be adopted, two thirds or more of the votes cast
by members in the CA category and one half or more of the votes cast by
members in the browser category must be in favor. Also, at least seven
members must participate in the ballot, either by voting in favor, voting
against, or abstaining.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130726/bfd1b9bf/attachment-0001.html