Re: [cabfpub] Ballot proposal - Update Section 8.4 for CA audit criteria

Mon, 16 Apr 2018 07:58:24 -0700 


> On Apr 16, 2018, at 7:21 AM, Ryan Sleevi via Public <[email protected]> 
> wrote:
> 
> 
> 
> On Sun, Apr 15, 2018 at 2:18 AM, Dimitris Zacharopoulos via Public 
> <[email protected] <mailto:[email protected]>> wrote:
> 
> I am looking for two endorsers for the following ballot.
> 
> Dimitris.
> 
> Ballot XXX - Update Section 8.4 for CA audit criteria
> 
> The following motion has been proposed by Dimitris Zacharopoulos of HARICA 
> and endorsed by ___ and ___
> 
> Background:
> 
> Section 8.4 of the Baseline Requirements describes the audit criteria for CAs 
> that issue Publicly-Trusted SSL/TLS Certificates. This ballot attempts to 
> achieve two things:
> 
> Remove the old ETSI TS documents
> Align the WebTrust <https://www.cabforum.org/wiki/WebTrust> and ETSI 
> requirements
> 
> "WebTrust <https://www.cabforum.org/wiki/WebTrust> for Certification 
> Authorities" is equivalent to "ETSI EN 319 401" and "WebTrust 
> <https://www.cabforum.org/wiki/WebTrust> Principles and Criteria for 
> Certification Authorities – SSL Baseline with Network Security" is the 
> equivalent of "ETSI EN 319 411-1".
> 
> -- MOTION BEGINS --
> 
> Replace the first two numbered items in section 8.4 of the Baseline 
> Requirements from:
> 
> WebTrust <https://www.cabforum.org/wiki/WebTrust> for Certification 
> Authorities v2.0;
> 
> A national scheme that audits conformance to ETSI TS 102 042 / ETSI EN 319 
> 411-1; or
> to:
> 
> WebTrust <https://www.cabforum.org/wiki/WebTrust> Principles and Criteria for 
> Certification Authorities – SSL Baseline with Network Security;
> 
> A national scheme that audits conformance to ETSI EN 319 411-1; or
> 
> As noted several times that this has come up in the past, your proposed 
> change to #1 is meaningfully and substantially different than what is 
> currently required. You are proposing *changing* the audit scheme to a more 
> restrictive set. That's something in the past that browsers have objected to, 
> and for good reason.

I agree with Ryan.  Based on your description, Dimitris, of the alignment 
between WebTrust and ETSI, it seems that the appropriate change is to require 
WebTrust for CA v2.1 or a national scheme that audits conformance to ETSI EN 
319 401 V2.1.1.

Thanks,
Peter
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public

Reply via email to