[cabfpub] Ballot proposal - Update Section 8.4 for CA audit criteria

Peter Bowen pzb at amzn.com
Mon Apr 16 07:57:58 MST 2018 


> On Apr 16, 2018, at 7:21 AM, Ryan Sleevi via Public <public at cabforum.org> wrote:
> 
> 
> 
> On Sun, Apr 15, 2018 at 2:18 AM, Dimitris Zacharopoulos via Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
> 
> I am looking for two endorsers for the following ballot.
> 
> Dimitris.
> 
> Ballot XXX - Update Section 8.4 for CA audit criteria
> 
> The following motion has been proposed by Dimitris Zacharopoulos of HARICA and endorsed by ___ and ___
> 
> Background:
> 
> Section 8.4 of the Baseline Requirements describes the audit criteria for CAs that issue Publicly-Trusted SSL/TLS Certificates. This ballot attempts to achieve two things:
> 
> Remove the old ETSI TS documents
> Align the WebTrust <https://www.cabforum.org/wiki/WebTrust> and ETSI requirements
> 
> "WebTrust <https://www.cabforum.org/wiki/WebTrust> for Certification Authorities" is equivalent to "ETSI EN 319 401" and "WebTrust <https://www.cabforum.org/wiki/WebTrust> Principles and Criteria for Certification Authorities – SSL Baseline with Network Security" is the equivalent of "ETSI EN 319 411-1".
> 
> -- MOTION BEGINS --
> 
> Replace the first two numbered items in section 8.4 of the Baseline Requirements from:
> 
> WebTrust <https://www.cabforum.org/wiki/WebTrust> for Certification Authorities v2.0;
> 
> A national scheme that audits conformance to ETSI TS 102 042 / ETSI EN 319 411-1; or
> to:
> 
> WebTrust <https://www.cabforum.org/wiki/WebTrust> Principles and Criteria for Certification Authorities – SSL Baseline with Network Security;
> 
> A national scheme that audits conformance to ETSI EN 319 411-1; or
> 
> As noted several times that this has come up in the past, your proposed change to #1 is meaningfully and substantially different than what is currently required. You are proposing *changing* the audit scheme to a more restrictive set. That's something in the past that browsers have objected to, and for good reason.

I agree with Ryan.  Based on your description, Dimitris, of the alignment between WebTrust and ETSI, it seems that the appropriate change is to require WebTrust for CA v2.1 or a national scheme that audits conformance to ETSI EN 319 401 V2.1.1.

Thanks,
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180416/9d70ca88/attachment.html>

More information about the Public mailing list