Re: Certinomis Issues

Wed, 01 May 2019 16:12:27 -0700 

On Wed, May 1, 2019 at 3:25 PM Jakob Bohm via dev-security-policy <
[email protected]> wrote:

> On 01/05/2019 22:29, [email protected] wrote:
> >> 2017 assessment report
> >> LSTI didn't issue to Certinomis any "audit attestation" for the
> browsers in 2017. The document Wayne references is a "Conformity Assessment
> Report" for the eIDAS regulation.
> >
> > I had a look at the 2017 report, and unless I misread, it implies
> conformity to ETSI EN 319 401 (Est vérifiée également la conformité aux
> normes: EN 319 401), whereas EN 319 401 states, "The present document is
> aiming to meet the general requirements to provide trust and confidence in
> electronic
> > transactions including, amongst others, applicable requirements from
> Regulation (EU) No 910/2014 [i.2] and those from CA/Browser Forum [i.4].",
> so I'm not sure how that squares with saying it wasn't an audit taking
> CA/BF regulations into account?
> >
>

The 2017 report [1], while not an attestation letter, indicates conformance
with EN 319 411 (refer to annex 2). This is the audit that covers
compliance with the BRs and is required by Mozilla policy.

>
> But does EN 319 401, as it existed in 2016/2017 incorporate a clause to
> apply all "future" updates to the CAB/F regulations or otherwise cover
> all BRs applicable to the 2016/2017 timespan?
>
> Because otherwise EN 319 401 compliance only implied compliance with
> the subset of the BRs directly included in EN 319 401 or documents
> incorporated by reference into EN 319 401 (the above quote is a
> statement of intent to include the BR requirements that existed when
> EN 319 401 was written).
>
> That said, Mozilla policy at the time may have explicitly stated that an
> EN 319 401 audit is/was sufficient for Mozilla inclusion purposes.
>
>
Correct - 319 411 was (and still is) the Mozilla audit requirement.

[1] https://bug937589.bmoattachments.org/attachment.cgi?id=8898169
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
  • Certinomis Issues Wayne Thayer via dev-security-policy
    • Re: Certinomis Issues Wayne Thayer via dev-security-policy
      • Re: Certinomis Is... Ryan Sleevi via dev-security-policy
        • Re: Certinomi... Wayne Thayer via dev-security-policy
          • Re: Certi... philbouchet35--- via dev-security-policy
            • Re: ... mono.riot--- via dev-security-policy
              • ... Jakob Bohm via dev-security-policy
                • ... Wayne Thayer via dev-security-policy
                • ... mono.riot--- via dev-security-policy
                • ... mono.riot--- via dev-security-policy
                • ... Wayne Thayer via dev-security-policy
                • ... Jonathan Rudenberg via dev-security-policy
                • ... Ryan Sleevi via dev-security-policy
                • ... Wayne Thayer via dev-security-policy
                • ... Matt Palmer via dev-security-policy
                • ... okaphone.elektronika--- via dev-security-policy
                • ... fchassery--- via dev-security-policy
                • ... Matt Palmer via dev-security-policy

Reply via email to