[cabfpub] When did the WebTrust/ETSI BR audit requirement becomemandatory?

i-barreira at izenpe.net i-barreira at izenpe.net
Fri Feb 20 07:33:17 UTC 2015



From the ETSI side, you know that the CAs that want to be ETSI audited according to the BRs can do it according to the TS 102 042 v 2.4.1 which is effective since February 2013.

OTOH mandating the CAs to be certified against ETSI, up to the regulation, that was on a voluntary basis. The regulation was approved last year and it mandates the certification (not decided yet which ones) for those service providers that want to issue qualified services and become a Qualified TSP by July 2016 with a year to send the conformity assessment to the supervisory body.


So, the answer is that by July 2016 (having a year to do so) all TSPs that issue qualified certificates and are “under” the regulation shall be certified, probably against ETSI standards like the new ENs.



Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net




ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.


De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de kirk_hall at trendmicro.com
Enviado el: jueves, 19 de febrero de 2015 18:00
Para: CABFPub (public at cabforum.org)
Asunto: [cabfpub] When did the WebTrust/ETSI BR audit requirement becomemandatory?


On our Forum call today, we asked when a WebTrust/ETSI BR audit requirement become mandatory for CAs.


Ballot 62 (Nov. 2011) adopted the BRs effective July 1, 2012.  However, there were no audit criteria in place for some time. 


I did some quick research, and the answer is not clear as to when the audit criteria came into effect.  The WebTrust draft audit requirements were completed by early 2013, and I see comments that Mozilla adopted the BR audit as a program requirement at the Mountain View meeting in Feb. 2013.  Here is the current Mozilla requirement at Sec. 11: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ 


As I recall, the initial Mozilla BR audit requirement was not clear as to exact effective date (what operational period must be covered by a CA’s initial BR audit).  I vaguely recall Mozilla clarifying the rule at our Feb. 2013 meeting at Mountain View that all CA operations occurring on or after Feb. 15, 2013 must be covered by a BR audit – so some CAs did partial-year initial BR audits to align their BR audits with their other audits.


Based on all this, I would say all CAs should have full year BR audits in place by now.  We can change our Bylaw on membership at Bylaw 2.1 to reflect this.


Kirk R. Hall

Operations Director, Trust Services

Trend Micro



The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150220/4e5292a0/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 19121 bytes
Desc: image001.png
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150220/4e5292a0/attachment-0003.png>

More information about the Public mailing list