On 16/4/2018 5:57 μμ, Peter Bowen wrote:
On Apr 16, 2018, at 7:21 AM, Ryan Sleevi via Public
<[email protected] <mailto:[email protected]>> wrote:
On Sun, Apr 15, 2018 at 2:18 AM, Dimitris Zacharopoulos via Public
<[email protected] <mailto:[email protected]>> wrote:
I am looking for two endorsers for the following ballot.
Dimitris.
*Ballot XXX - Update Section 8.4 for CA audit criteria*
The following motion has been proposed by Dimitris Zacharopoulos
of HARICA and endorsed by ___ and ___
*Background*:
Section 8.4 of the Baseline Requirements describes the audit
criteria for CAs that issue Publicly-Trusted SSL/TLS
Certificates. This ballot attempts to achieve two things:
1. Remove the old ETSI TS documents
2.
Align the WebTrust <https://www.cabforum.org/wiki/WebTrust>
and ETSI requirements
"WebTrust <https://www.cabforum.org/wiki/WebTrust> for
Certification Authorities" is equivalent to "ETSI EN 319 401" and
"WebTrust <https://www.cabforum.org/wiki/WebTrust> Principles and
Criteria for Certification Authorities – SSL Baseline with
Network Security" is the equivalent of "ETSI EN 319 411-1".
*-- MOTION BEGINS --*
Replace the first two numbered items in section 8.4 of the
Baseline Requirements from:
1.
WebTrust <https://www.cabforum.org/wiki/WebTrust> for
Certification Authorities v2.0;
2. A national scheme that audits conformance to ETSI TS 102 042
/ ETSI EN 319 411-1; or
to:
1.
WebTrust <https://www.cabforum.org/wiki/WebTrust> Principles
and Criteria for Certification Authorities – SSL Baseline
with Network Security;
2. A national scheme that audits conformance to ETSI EN 319
411-1; or
As noted several times that this has come up in the past, your
proposed change to #1 is meaningfully and substantially different
than what is currently required. You are proposing *changing* the
audit scheme to a more restrictive set. That's something in the past
that browsers have objected to, and for good reason.
I agree with Ryan. Based on your description, Dimitris, of the
alignment between WebTrust and ETSI, it seems that the appropriate
change is to require WebTrust for CA v2.1 or a national scheme that
audits conformance to ETSI EN 319 401 V2.1.1.
Perhaps I missed that discussion but the intention here is to include
the superset of audit requirements for CAs that issue Publicly-Trusted
SSL/TLS Certificates . For example, ETSI EN 319 411-1 includes ETSI EN
319 401 as a prerequisite which is similar to WebTrust for CAs v2. Are
you saying that WebTrust for CAs SSL Baseline with Network Security does
not have WebTrust for CAs v2 as a prerequisite?
If that's the case, and if the Baseline Requirements apply to SSL/TLS
Certificates, then the logical requirement to make it clearer would be:
* WebTrust for CAs + WebTrust for CAs SSL Baseline with Network
Security or;
* ETSI EN 319 401 + ETSI EN 319 411-1
Otherwise, if we only keep the WebTrust for CAs requirement as it exists
today, it would make more sense to require for ETSI EN 319 401 (as Peter
suggested) instead of 411-1 which includes parts of the baseline
requirements and network security.
Is there any compelling reason why we shouldn't require both?
Peter, we could include version numbers and some language to state "or
newer", otherwise we might end up with out-of-date versions. Also, I
noticed that WebTrust provides guidance on which versions should be used
for which audit periods so there might be CAs audited against v.2.0 and
others against v2.1.
Dimitris.
Thanks,
Peter
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
