Bonsoir,
I think EN 319 411-1 is not ready for EV certificates as some requirements are
more stringent than 102 042 EVCP.
Reading this document, we found, and it was confirmed by our accredited
auditor, that the validation step requires physical presence of the subscriber
or means equivalent to physical presence. Find below an excerpt of section
6.2.2 Initial identity validation:
h) [CONDITIONAL] [NCP]: If the subject is a device or system operated by or
on behalf of a legal person, or other organizational entity identified in
association with a legal person, evidence of the identity, in particular the
ones listed in i), shall be checked against a duly mandated subscriber either
directly, by physical presence of a person, or have been checked indirectly
using means which provides equivalent assurance to physical presence.
i) [CONDITIONAL]: If the subject is a device or system operated by or on
behalf of a legal person, or other organizational entity identified in
association with a legal person, evidence shall be provided of:
1) identifier of the device by which it can be referenced (e.g.
Internet domain name);
2) full name of the organizational entity:
* [PTC]: clause 3.2.2 of BRG [5] shall apply;
* [EVCP]: EVCG [4], clause 11.2.1, shall apply;
3) any relevant existing registration information (e.g. company
registration) of the legal person or other organizational entity identified in
association with the legal person that would appear in the organization
attribute of the certificate, consistent with the national or other applicable
identification practices;
4) a nationally recognized identity number, or other attributes which
can be used to, as far as possible, distinguish the organizational entity from
others with the same name; and
5) [CONDITIONAL]: when applicable, the association between the legal
person and the other organizational entity identified in association with this
legal person that would appear in the organization attribute of the
certificate, consistent with the national or other applicable identification
practices.
This physical presence (face-to-face) of the subscriber is required by EV
Guidelines when the subject is a Business Entity only, to verify the identity
of the Principal Individual. This face-to-face validation is not required for
Private Organizations, Government Entities, and Non-Commercial Entities.
In addition to that, ETSI has not withdrawn the current standard TS 102 042. If
we apply too quickly EN 319 411-1 before it’s updated, it will add some
constraints on European CAs only and thus create a gap between European and
non-European CAs.
Cordialement,
Erwann Abalea
Le 17 juin 2016 à 11:43, Barreira Iglesias, Iñigo
<[email protected]<mailto:[email protected]>> a écrit :
Ballot 171 – Updating the ETSI standards in the CABF documents
The following motion has been proposed by Iñigo Barreira of Izenpe and endorsed
by Mads Henriksveen of Buypass, Jochem van den Berge of Logius PKIoverheid and
Arno Fiedler of D-trust
-- MOTION BEGINS –
In the BRs,
In section 1.6.3 References, change:
ETSI TS 119 403, Electronic Signatures and Infrastructures (ESI); Trust Service
Provider Conformity Assessment ‐ General Requirements and Guidance.
ETSI TS 102 042, Electronic Signatures and Infrastructures (ESI); Policy
requirements for certification authorities issuing public key certificates.
With
ETSI EN 319 403, Electronic Signatures and Infrastructures (ESI); Trust Service
Provider Conformity Assessment - Requirements for conformity assessment bodies
assessing Trust Service Providers
ETSI EN 319 411-1, Electronic Signatures and Infrastructures (ESI); Policy and
security requirements for Trust Service Providers issuing certificates;
Part 1: General requirements
In section 8.2 Identity/qualification of assessor, point 4, change:
4. (For audits conducted in accordance with any one of the ETSI standards)
accredited in accordance with ETSI TS 119 403, or accredited to conduct such
audits under an equivalent national scheme, or accredited by a national
accreditation body in line with ISO 27006 to carry out ISO 27001 audits;
With
4. (For audits conducted in accordance with any one of the ETSI standards)
accredited in accordance with ISO 17065 applying the requirements specified in
ETSI EN 319 403;
In section 8.4 Topics covered by assessment, point 2, change:
2. A national scheme that audits conformance to ETSI TS 102 042;
With
2. A national scheme that audits conformance to ETSI TS 102 042/ ETSI EN 319
411-1; Effective July 1st 2016, only the ETSI EN 319 411-1 criteria shall be
accepted. Audit reports following the ETSI TS 102 042 criteria shall be
accepted until July 1st 2017;
In the EV guidelines,
In section 8.2.1 Implementation, point (B), change:
(B) Implement the requirements of (i) the then-current WebTrust Program for
CAs, and (ii) the then-current WebTrust
EV Program or ETSI TS 102 042; and
With
(B) Implement the requirements of (i) the then-current WebTrust Program for
CAs, and (ii) the then-current WebTrust
EV Program or ETSI EN 319 411-1 for EVCP policy; and
In section 8.2.2 Disclosure, change:
The CA is also REQUIRED to publicly disclose its CA business practices as
required by both WebTrust for CAs and ETSI TS 102 042.
With
The CA is also REQUIRED to publicly disclose its CA business practices as
required by both WebTrust for CAs and ETSI EN 319 411-1.
In section 17.1 Eligible audit schemes, point (ii), change:
(ii) ETSI TS 102 042 audit
With
(ii) ETSI EN 319 411-1 audit for EVCP policy
In section 17.4 pre-issuance readiness audit, point (2), change:
(2) If the CA has a currently valid ETSI 102 042 audit, then, before issuing EV
Certificates, the CA and its Root CA MUST
successfully complete a point-in-time readiness assessment audit against ETSI
TS 102 042.
With
(2) If the CA has a currently valid ETSI EN 319 411-1 audit for EVCP policy,
then, before issuing EV Certificates, the CA and its Root CA MUST successfully
complete a point-in-time readiness assessment audit against these ETSI
standards.
In section 17.4 pre-issuance readiness audit, point (3), change:
(3) If the CA does not have a currently valid WebTrust Seal of Assurance for
CAs or an ETSI 102 042 audit, then, before
issuing EV Certificates, the CA and its Root CA MUST successfully complete
either: (i) a point-in-time readiness
assessment audit against the WebTrust for CA Program, or (ii) a point-in-time
readiness assessment audit against the
WebTrust EV Program, or an ETSI TS 102 042 audit.
With
(3) If the CA does not have a currently valid WebTrust Seal of Assurance for
CAs or an ETSI EN 319 411-1 audit for EVCP policy, then, before issuing EV
Certificates, the CA and its Root CA MUST successfully complete either: (i) a
point-in-time readiness assessment audit against the WebTrust for CA Program,
or (ii) a point-in-time readiness assessment audit against the WebTrust EV
Program, or an ETSI EN 319 411-1 for EVCP policy.
-- MOTION ENDS --
The review period for this ballot shall commence at 2200 UTC on 17 June 2016,
and will close at 2200 UTC on 24 June 2016. Unless the motion is withdrawn
during the review period, the voting period will start immediately thereafter
and will close at 2200 UTC on 1 July 2016. Votes must be cast by posting an
on-list reply to this thread.
A vote in favor of the motion must indicate a clear 'yes' in the response. A
vote against must indicate a clear 'no' in the response. A vote to abstain must
indicate a clear 'abstain' in the response. Unclear responses will not be
counted. The latest vote received from any representative of a voting member
before the close of the voting period will be counted. Voting members are
listed here: https://cabforum.org/members/
In order for the motion to be adopted, two thirds or more of the votes cast by
members in the CA category and greater than 50% of the votes cast by members in
the browser category must be in favor. Quorum is currently ten (10) members– at
least ten members must participate in the ballot, either by voting in favor,
voting against, or abstaining.
Iñigo Barreira
Responsable del Área técnica
[email protected]<mailto:[email protected]>
945067705
<image001.jpg>
ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea.
Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki
idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna.
KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la
que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error
le agradeceriamos que no hiciera uso de la informacion y que se pusiese en
contacto con el remitente.
_______________________________________________
Public mailing list
[email protected]<mailto:[email protected]>
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
