[cabfpub] [cabfman] Ballot 171? for updating the ETSI standards in the CABF documents

Barreira Iglesias, Iñigo i-barreira at izenpe.eus
Tue Jun 14 01:05:25 MST 2016


Erwann,

Some clarifications.


·         ETSI has not replaced yet the TS 102 042 but will do soon.


·         ETSI does not impose to use any standard, ETSI just produces standards that the groups can use but does not say when or why you can use this or this one.


·         The TS 102 042 v2.4.1 is the latest version and hasn´t been updated for more than 2 years.


·         In last year CABF meeting at Baden, ETSI presented a proposal (as said ETSI can´t say anything about using any standard because meanwhile they are live they can be used) for using the TS 102 042 up to july 1st 2016 and after that date use only the newer EN 319 411-1, this was a proposal to the CABF and well, despite I´ve asked several times for a change (there was no ballot at the time to approve nor the webtrust nor the ETSI, so didn´t know that there was a need now, but in any case, the ballot is out there looking for a second endorser). Of course those ETSI TS 102 042 audits done before the date of july 1st 2016 should remain valid at least until july 1st 2017, in which ETSI will probably will withdraw the TS standard if not before.


·         The eIDAS regulation does not impose any standard to issue any kind of cert, is the industry that does that. In this particular case, ETSI is asking the CABF to update the documents to be used by CAs to be audited to the newest one, because TS 102 042 is not updated, is quite old.


·         The eIDAS regulation will not have any implementing act that says to use any ETSI standard for this. It has been requested many times but don´t want to mandate the use of specific standards

So, in summary, at the moment any CA wherever in the world can still use the TS 102 042 for web server certificates, but has no meaning to be audited against a standard that hasn´t been updated for more than 2 years and does not take into account all the changes that have been applied during this time, but if the CABF decides that the TS 102 042 is still valid, I have nothing to say. What I´m trying to propose is to accept the new one and if you think that is needed to rephrase, let me know where we can improve the text.

OTOH, even the TS 102 042 is still valid, the EN 319 403 imposes some requirements to CABs to perform the ETSI audits, and what is indicated in Annex E of the TS 102 042 is not what is required in EN 319 403 and is not what has been agreed in the last CABF meeting at Bilbao (in yellow below)

The accreditation scheme adopted by EA and its members to be applied, as a consensus, by all EA members is indeed an accreditation scheme based under ISO/IEC 17065 completed with the specific requirements in EN 319 403 for CAB and with the demonstration by the CAB that they have the competence and skills to assess the eIDAS QTSP/QTS against the applicable requirements of the eIDAS Regulation with regards to the type of QTSP/QTS being assessed. There are three parts to the accreditation scheme as presented by/on behalf of EA at the eIDAS Expert Group Meeting:
[cid:part1.94483A87.BCBEC932 at sealed.be]
For a conformity assessment report to be recognised as meeting the requirements of eIDAS Regulation (Art. 20, Art.21) and recognised by a EU MS SB, it must not only have been issued by a CAB accredited under Reg. 765/2008, under ISO/IEC 17065 for complying with the specific requirements in EN 319 403, but also for certifying QTSP/QTS against the applicable requirements of the eIDAS Regulation with regards to the assessed type of QTSP/QTS.
So your statement should read:

A CAB accredited under ISO/IEC 17065 complying with the specific requirements in EN 319 403 can issue a conformance report that is recognized

·         by eIDAS EUMS Supervisory Body, provided the CAB is accredited under ISO 17065/EN 319 403 to have the competence and skills to assess/certify the eIDAS QTSP/QTS as meeting the applicable requirements of the eIDAS Regulation with regards to the type of QTSP/QTS being assessed and provided that the CAR certifies that the assessed QTSP/QTS meets the applicable requirements of the eIDAS Regulation.

·         by CAB/Forum, provided the CAB is accredited under ISO 17065/EN 319 403 to have the competence and skills to assess the TSP/TS against a set of specifications that CAB/Forum (or actually the Browsers/Application providers being part of CAB/Forum)  would recognise as acceptable to meet their requirements.

And furthermore, the only CAB accredited in France for example, are not performing any more ETSI TS 102 042/101 456 audits since the new ENs have been published, so time before the new eIDSA regulation applies.

Summarizing, you can be audited against TS 102 042 but has no sense and only for a limited period of time. It´s not worthy.

Regards

Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.eus<mailto:i-barreira at izenpe.eus>
945067705

[Descripción: firma_email_Izenpe_eus]

ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

De: Erwann Abalea [mailto:Erwann.Abalea at docusign.com]
Enviado el: lunes, 13 de junio de 2016 15:14
Para: Barreira Iglesias, Iñigo
CC: CABFPub
Asunto: Re: [cabfman] Ballot 171? for updating the ETSI standards in the CABF documents

Bonjour,

More on this subject.

102042 is not yet abandoned, it hasn’t even officially been replaced by 319411-1 yet, it seems premature to remove any reference to 102042.
What is missing in Europe is a delegated act to impose 319411. The only official change I see is from TS 119403 to EN 319403.

It may be possible for a CA to be TS 102042-audited for web server certificates after July 1st 2016. Even in Europe.

Cordialement,
Erwann Abalea

Le 9 juin 2016 à 08:36, Barreira Iglesias, Iñigo <i-barreira at izenpe.eus<mailto:i-barreira at izenpe.eus>> a écrit :

Yes, the effective date for these new audits is to start on july 1st 2016, the audist performed against TS before that date remains valid for one year until july 1st 2017.


Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.eus<mailto:i-barreira at izenpe.eus>
945067705

<image001.jpg>

ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

De: Erwann Abalea [mailto:Erwann.Abalea at docusign.com]
Enviado el: miércoles, 08 de junio de 2016 15:38
Para: Barreira Iglesias, Iñigo
CC: management at cabforum.org<mailto:management at cabforum.org>
Asunto: Re: [cabfman] Ballot 171? for updating the ETSI standards in the CABF documents

Bonjour,

There’s a one year transition period where a CA can have an ETSI 102042 audit performed less than one year ago. If the proposed ballot passes, would such a CA be still eligible?

Cordialement,
Erwann Abalea

Le 8 juin 2016 à 14:37, Barreira Iglesias, Iñigo <i-barreira at izenpe.eus<mailto:i-barreira at izenpe.eus>> a écrit :

Ballot 171 – Updating the ETSI standards in the CABF documents
The following motion has been proposed by Iñigo Barreira of Izenpe and endorsed by XXX and XXX:
-- MOTION BEGINS –
In the BRs,
In section 1.6.3 References, change:
ETSI TS 119 403, Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment ‐ General Requirements and Guidance.
ETSI TS 102 042, Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates.
With
ETSI EN 319 403, Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment - Requirements for conformity assessment bodies assessing Trust Service Providers

ETSI EN 319 411-1, Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates;
Part 1: General requirements

ETSI EN 319 411-2, Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates;
Part 2: Requirements for trust service providers issuing EU qualified certificates
In section 8.2 Identity/qualification of assessor, point 4, change:
4. (For audits conducted in accordance with any one of the ETSI standards) accredited in accordance with ETSI TS 119 403, or accredited to conduct such audits under an equivalent national scheme, or accredited by a national accreditation body in line with ISO 27006 to carry out ISO 27001 audits;

With

4. (For audits conducted in accordance with any one of the ETSI standards) accredited in accordance with ETSI EN 319 403;

In section 8.4 Topics covered by assessment, point 2, change:
2. A national scheme that audits conformance to ETSI TS 102 042;
With
2. A national scheme that audits conformance to ETSI EN 319 411-1;
In the EV guidelines,

In section 8.2.1 Implementation, point (B), change:

(B)  Implement the requirements of (i) the then-current WebTrust Program for CAs, and (ii) the then-current WebTrust
EV Program or ETSI TS 102 042; and

With

(B)  Implement the requirements of (i) the then-current WebTrust Program for CAs, and (ii) the then-current WebTrust
EV Program or ETSI EN 319 411-1 for EVCP policy or ETSI EN 319 411-2 for QCP-w policy; and


In section 8.2.2 Disclosure, change:

The CA is also REQUIRED to publicly disclose its CA business practices as required by both WebTrust for CAs and ETSI TS 102 042.

With

The CA is also REQUIRED to publicly disclose its CA business practices as required by both WebTrust for CAs and ETSI EN 319 411-1 or ETSI EN 319 411-2.


In section 17.1 Eligible audit schemes, point (ii), change:

(ii) ETSI TS 102 042 audit

With

(ii) ETSI EN 319 411-1 audit for EVCP policy or ETSI EN 319 411-2 audit for QCP-w policy


In section 17.4 pre-issuance readiness audit, point (2), change:

(2) If the CA has a currently valid ETSI 102 042 audit, then, before issuing EV Certificates, the CA and its Root CA MUST
successfully complete a point-in-time readiness assessment audit against ETSI TS 102 042.

With

(2) If the CA has a currently valid ETSI EN 319 411-1 audit for EVCP policy or ETSI EN 319 411-2 for QCP-w policy, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against these ETSI standards.


In section 17.4 pre-issuance readiness audit, point (3), change:

(3) If the CA does not have a currently valid WebTrust Seal of Assurance for CAs or an ETSI 102 042 audit, then, before
issuing EV Certificates, the CA and its Root CA MUST successfully complete either: (i) a point-in-time readiness
assessment audit against the WebTrust for CA Program, or (ii) a point-in-time readiness assessment audit against the
WebTrust EV Program, or an ETSI TS 102 042 audit.

With

(3) If the CA does not have a currently valid WebTrust Seal of Assurance for CAs or an ETSI EN 319 411-1 audit for EVCP policy or ETSI EN 319 411-2 for QCP-w policy, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete either: (i) a point-in-time readiness assessment audit against the WebTrust for CA Program, or (ii) a point-in-time readiness assessment audit against the WebTrust EV Program, or an ETSI EN 319 411-1 for EVCP or ETSI EN 319 411-2 for QCP-w audit.
-- MOTION ENDS --
The review period for this ballot shall commence at 2200 UTC on 13 June 2016, and will close at 2200 UTC on 20 June 2016. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on 26 June 2016. Votes must be cast by posting an on-list reply to this thread.
A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: https://cabforum.org/members/
In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Quorum is currently ten (10) members– at least ten members must participate in the ballot, either by voting in favor, voting against, or abstaining.



Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.eus<mailto:i-barreira at izenpe.eus>
945067705

<image001.jpg>

ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

_______________________________________________
Management mailing list
Management at cabforum.org<mailto:Management at cabforum.org>
https://cabforum.org/mailman/listinfo/management

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160614/dc46750b/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 9540 bytes
Desc: image001.jpg
Url : https://cabforum.org/pipermail/public/attachments/20160614/dc46750b/attachment-0002.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 8613 bytes
Desc: image002.jpg
Url : https://cabforum.org/pipermail/public/attachments/20160614/dc46750b/attachment-0003.jpg 


More information about the Public mailing list