On Tue, Oct 30, 2018 at 5:08 PM Erwann Abalea <eaba...@gmail.com> wrote:
> Not seeing this on Google Groups :/ > > Le mar. 30 oct. 2018 à 18:28, Ryan Sleevi <ryan.sle...@gmail.com> a > écrit : > >> >> >> On Tue, Oct 30, 2018 at 1:20 PM Erwann Abalea via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >>> Le mardi 30 octobre 2018 17:29:14 UTC+1, Ryan Sleevi a écrit : >>> [...] >>> > Note that if either the TSP is suspended of their certification or >>> > withdrawn, no notification will be made to relying parties. The closest >>> > that it comes is that if they're accredited according to EN 319 411-2 >>> > (Qualified Certificates), the suspension/withdrawing will be reported >>> to >>> > the Supervisory Body, which will them update the Qualified Trust List >>> for >>> > that country and that will flow into the EU Qualified Trust List. >>> >>> Quick correction here: this certification suspension/withdrawal does not >>> automatically imply a qualification suspension/withdrawal by the SB. The SB >>> is the sole responsible of the TL content, and can ignore the certification >>> suspension (or certification success, failure, absence, or whatever). >>> >> >> Got a citation? >> > > Other that the eIDAS regulation? No. > What you wrote would mean that the CAB is finally responsible of the > Qualified status of a TSP. And this is wrong. > Perhaps it was poorly stated, but I think we're in agreement that the Supervisory Body ultimately makes the decision regarding both the addition to and removal from the qualified trust list within that country. That said, in re-examining Article 20(3) and Article 17, I agree, it's clear that the suspension of accreditation does not itself trigger an obligation to suspend certified status. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
