[cabfpub] RV: [cabfman] Ballot 171? for updating the ETSI standards in the CABF documents

Ryan Sleevi sleevi at google.com
Mon Jun 13 12:56:53 UTC 2016

On Mon, Jun 13, 2016 at 12:40 AM, Barreira Iglesias, Iñigo <
i-barreira at izenpe.eus> wrote:

> Inigo,
> I'm not sure how this is meaningfully different than how we handle EV
> audits, which root stores also require the BR audits.
> Same here

This doesn't answer the question, and I have no clue what you're trying to

> I've reviewed 411-1 and 411-2, and the outstanding question you didn't
> answer is what prevents a CA from getting audited under EVCP when getting a
> QCP-w audit.
> A CA can issue an EV when passes 411-1 under EVCP policy. To get a QCPw,
> the CA has to pass the 411-2

That's not what I'm asking about.

To get QCP-w, a CA has to pass 411-2. Yes, 411-2 tries to incorporate by
reference, where applicable, 411-1. What I'm specifically asking is if a CA
has to get/pass 411-2, why can they not get audited, at the same time, to
411-1 under EVCP? What prevents this?

Under the WebTrust schemes, as practiced by root stores, a CA wishing to be
audited under WebTrust for CAs also gets audited under WebTrust for BRs and
WebTrust. That is, three audits. (The notion of an EV-only CA is not made
by root stores that I'm aware of, since to issue EV they necessarily are
trusted to issue TLS).

As a root store, there's zero interest in understanding or recognizing
QCP-w. So if a CA wants to be recognized as EV, it would need to present a
411-1 EVCP audit. My understanding is that a CA getting a 411-2 QCPw audit
should have no trouble getting a 411-1 EVCP audit, and then there's no
ambiguity that the CA is conforming to 411-1 EVCP. Why doesn't that work?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160613/1bb43983/attachment-0003.html>

More information about the Public mailing list