[cabfpub] When to stop accepting old ETSI audits?

tScheme Technical Manager richard.trevorah at tscheme.org
Tue Nov 29 12:33:00 UTC 2016 

Hi Peter,

 

I totally agree that Mozilla is free to set its own policy. I was just commenting that, if the basis of that policy is comparability with eIDAS then the cutoff there was 30 June 2016 after which all assessments had/have to be carried out under the new Regulation and at the latest by 1 July 2017.

 

All the transitional arrangements do is to say that any provider considered already to be ‘Qualified’ under the old basis on 1 July 2016 could continue to be considered ‘Qualified’ under the new basis until they submit their next report (against eIDAS) which has to be by 1 July 2017 at the latest.

 

Regards

Richard

------------------------------------

Richard Trevorah

Technical Manager

tScheme Limited

 

M: +44 (0) 781 809 4728

F: +44 (0) 870 005 6311

 

http://www.tscheme.org

------------------------------------

 

The information in this message and, if present, any attachments are intended solely for the attention and use of the named addressee(s). The content of this e-mail and its attachments is confidential and may be legally privileged. Unless otherwise stated, any use or disclosure is unauthorised and may be unlawful. 

 

If you are not the intended recipient, please delete the message and any attachments and notify the sender as soon as practicable

 

From: Miskovic Peter [mailto:Peter.Miskovic at disig.sk] 
Sent: Tuesday, November 29, 2016 7:10 AM
To: CA/Browser Forum Public Discussion List; 'Moudrick M. Dadashov'
Cc: tScheme Technical Manager
Subject: RE: [cabfpub] When to stop accepting old ETSI audits?

 

Hi Richard,

according my opinion this is true only for those audits which TSP shall provide for the supervisory body (eIDAS Regulation Article 17) at least every 24 month. Mozilla is not such supervisory body so it’s on their decision what will be accepted. I agree with Inigo and Moudrick that the July 1, 2017 is reasonable date because at June 30, 2017 ends transitional measure (eIDAS Regulation, Artice 51 (3)) for submitting conformity assessment report to the supervisory body according eIDAS regulation. So all EU TSP  which are qualified TSP now due the transitional measure (eIDAS Regulation, Artice 51 (3))  still has a time to wait  with such type of audit. 

 

Regards

Peter 

 

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of tScheme Technical Manager via Public
Sent: Tuesday, November 29, 2016 12:59 AM
To: 'Moudrick M. Dadashov' <md at ssc.lt>; 'CA/Browser Forum Public Discussion List' <public at cabforum.org>
Cc: tScheme Technical Manager <richard.trevorah at tScheme.org>
Subject: Re: [cabfpub] When to stop accepting old ETSI audits?

 

That is certainly true in some Member States (UK included) but is doesn’t alter fact that eIDAS came into force on 1st July 2016 and any Conformity Assessment Report submitted after that date would have to demonstrate compliance with the eIDAS regulation – and the old ETSI TS are not sufficient for that purpose.

 

However, I believe that some MS have produced their Supervisory Body requirements (e.g. LU, MT & SE) and there are also some very detailed guidelines being drafted by ENISA that can be viewed at https://www.enisa.europa.eu/topics/trust-services/guidelines/

 

Cheers

Richard

------------------------------------
Richard Trevorah
Technical Manager
tScheme Limited

M: +44 (0) 781 809 4728
F: +44 (0) 870 005 6311

http://www.tscheme.org
------------------------------------

The information in this message and, if present, any attachments are intended solely for the attention and use of the named addressee(s). The content of this e-mail and its attachments is confidential and may be legally privileged. Unless otherwise stated, any use or disclosure is unauthorised and may be unlawful.

If you are not the intended recipient, please delete the message and any attachments and notify the sender as soon as practicable

 

 

From: Moudrick M. Dadashov [ <mailto:md at ssc.lt> mailto:md at ssc.lt] 
Sent: 28 November 2016 23:33
To: tScheme Technical Manager; 'CA/Browser Forum Public Discussion List'
Subject: Re: [cabfpub] When to stop accepting old ETSI audits?

 

Indeed, Richard, but unfortunately what used to be a single step (audit) now needs two steps - the TSPs need to meet also the [non-existing] supervisor requirements.

Thanks,
M.D.   

On 11/29/2016 1:05 AM, tScheme Technical Manager wrote:

Technically, eIDAS gave July 2016 as the cutoff but allowed one year for transition. However, it states that any audits after July 2016 must use new requirements.

 

Cheers

Richard

------------------------------------
Richard Trevorah
Technical Manager
tScheme Limited

M: +44 (0) 781 809 4728
F: +44 (0) 870 005 6311

http://www.tscheme.org
------------------------------------

The information in this message and, if present, any attachments are intended solely for the attention and use of the named addressee(s). The content of this e-mail and its attachments is confidential and may be legally privileged. Unless otherwise stated, any use or disclosure is unauthorised and may be unlawful.

If you are not the intended recipient, please delete the message and any attachments and notify the sender as soon as practicable

 

 

From: Public [ <mailto:public-bounces at cabforum.org> mailto:public-bounces at cabforum.org] On Behalf Of Moudrick M. Dadashov via Public
Sent: 28 November 2016 22:59
To: CA/Browser Forum Public Discussion List
Cc: Moudrick M. Dadashov
Subject: Re: [cabfpub] When to stop accepting old ETSI audits?

 

Yes, July 2017 is reasonable - the new ones require extra bureaucracy with the supervisors.

Thanks,
M.D. 

On 11/28/2016 3:44 PM, Gervase Markham via Public wrote:

Dear CAB Forum members,
 
Ballot 171, passed on 1st July 2016, updated the BRs to remove the old
ETSI criteria (ETSI TS 101 456 V1.4.3 or ETSI TS 102 042 V2.3.1) and add
the new ones (ETSI EN 319 411-1 v1.1.1 or ETSI EN 319 411-2 v2.1.1).
This change was made in BRs v.1.3.6. However, no dates were associated
with the change.
 
Mozilla CA Policy 2.3 (about to be published) permits either set of
criteria to be used.
 
By what date would it be reasonable for Mozilla to require that all new
ETSI audits use the new criteria?
 
Inigo says that eIDAS (which, of course, refers only to the issuance of
Qualified certificates) have specified July 2017 as the end date for the
old criteria. Would that be a reasonable choice?
 
Gerv
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161129/18c214b9/attachment-0003.html>

More information about the Public mailing list