[cabfpub] Ballot proposal - Update Section 8.4 for CA audit criteria
Dimitris Zacharopoulos
jimmy at it.auth.gr
Mon Apr 16 16:55:08 UTC 2018
On 16/4/2018 5:57 μμ, Peter Bowen wrote:
>
>
>> On Apr 16, 2018, at 7:21 AM, Ryan Sleevi via Public
>> <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>>
>>
>>
>> On Sun, Apr 15, 2018 at 2:18 AM, Dimitris Zacharopoulos via Public
>> <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>>
>>
>> I am looking for two endorsers for the following ballot.
>>
>> Dimitris.
>>
>> *Ballot XXX - Update Section 8.4 for CA audit criteria*
>>
>> The following motion has been proposed by Dimitris Zacharopoulos
>> of HARICA and endorsed by ___ and ___
>>
>> *Background*:
>>
>> Section 8.4 of the Baseline Requirements describes the audit
>> criteria for CAs that issue Publicly-Trusted SSL/TLS
>> Certificates. This ballot attempts to achieve two things:
>>
>> 1. Remove the old ETSI TS documents
>> 2.
>>
>> Align the WebTrust <https://www.cabforum.org/wiki/WebTrust>
>> and ETSI requirements
>>
>> "WebTrust <https://www.cabforum.org/wiki/WebTrust> for
>> Certification Authorities" is equivalent to "ETSI EN 319 401" and
>> "WebTrust <https://www.cabforum.org/wiki/WebTrust> Principles and
>> Criteria for Certification Authorities – SSL Baseline with
>> Network Security" is the equivalent of "ETSI EN 319 411-1".
>>
>> *-- MOTION BEGINS --*
>>
>> Replace the first two numbered items in section 8.4 of the
>> Baseline Requirements from:
>>
>> 1.
>>
>> WebTrust <https://www.cabforum.org/wiki/WebTrust> for
>> Certification Authorities v2.0;
>>
>> 2. A national scheme that audits conformance to ETSI TS 102 042
>> / ETSI EN 319 411-1; or
>>
>> to:
>>
>> 1.
>>
>> WebTrust <https://www.cabforum.org/wiki/WebTrust> Principles
>> and Criteria for Certification Authorities – SSL Baseline
>> with Network Security;
>>
>> 2. A national scheme that audits conformance to ETSI EN 319
>> 411-1; or
>>
>>
>> As noted several times that this has come up in the past, your
>> proposed change to #1 is meaningfully and substantially different
>> than what is currently required. You are proposing *changing* the
>> audit scheme to a more restrictive set. That's something in the past
>> that browsers have objected to, and for good reason.
>
> I agree with Ryan. Based on your description, Dimitris, of the
> alignment between WebTrust and ETSI, it seems that the appropriate
> change is to require WebTrust for CA v2.1 or a national scheme that
> audits conformance to ETSI EN 319 401 V2.1.1.
>
Perhaps I missed that discussion but the intention here is to include
the superset of audit requirements for CAs that issue Publicly-Trusted
SSL/TLS Certificates . For example, ETSI EN 319 411-1 includes ETSI EN
319 401 as a prerequisite which is similar to WebTrust for CAs v2. Are
you saying that WebTrust for CAs SSL Baseline with Network Security does
not have WebTrust for CAs v2 as a prerequisite?
If that's the case, and if the Baseline Requirements apply to SSL/TLS
Certificates, then the logical requirement to make it clearer would be:
* WebTrust for CAs + WebTrust for CAs SSL Baseline with Network
Security or;
* ETSI EN 319 401 + ETSI EN 319 411-1
Otherwise, if we only keep the WebTrust for CAs requirement as it exists
today, it would make more sense to require for ETSI EN 319 401 (as Peter
suggested) instead of 411-1 which includes parts of the baseline
requirements and network security.
Is there any compelling reason why we shouldn't require both?
Peter, we could include version numbers and some language to state "or
newer", otherwise we might end up with out-of-date versions. Also, I
noticed that WebTrust provides guidance on which versions should be used
for which audit periods so there might be CAs audited against v.2.0 and
others against v2.1.
Dimitris.
> Thanks,
> Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180416/b69554b9/attachment-0003.html>
More information about the Public
mailing list