I've gone ahead and removed references to ETSI TS 101 456 and TS 102 042
from the 2.6 branch of the policy:
https://github.com/mozilla/pkipolicy/commit/49a07119a1fd5c887d4b506f60e210fad941b26a

- Wayne


On Tue, Mar 27, 2018 at 12:44 PM, Wayne Thayer <wtha...@mozilla.com> wrote:

> There has been a lot of confusion about the transition to the new
> standards, and I believe that this change makes it clearer that Mozilla no
> longer accepts audits based on the older ETSI standards.
>
> On Tue, Mar 27, 2018 at 4:28 AM, Julian Inza via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> European Conformity Assessment Bodies are nowadays issuing Audit
>> Certificates aligned with EN 319 401, EN 319-411-1 and EN 319 411-2
>> standards.
>>
>> There is no need to explicitly deny validity to previous standars,
>> because as Jakob states, they can reflect the chain of audits.
>>
>> In fact, TS 102 042 and TS 101 456 are basically the same standards, but
>> instead of changing only the version number, ETSI opted to renew the full
>> reference code, more in the approach of IETF for RFCs.
>>
>> The Mozilla rule also is aligned with CAB Forum Baseline Requirements for
>> the Issuance and Management of Publicly-Trusted Certificates and Extended
>> Validation SSL Certificate Guidelines, and any change to those documents
>> would need a ballot.
>>
>> This is the kind of confusion that I hope to avoid. Mozilla policy is not
> aligned with the BRs now that Mozilla does not accept TS 102 042 and TS 101
> 456 audits.
>
> Regards,
>>
>> Julian Inza
>>
>>
>>
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to