On 16/4/2018 5:57 μμ, Peter Bowen wrote:


On Apr 16, 2018, at 7:21 AM, Ryan Sleevi via Public <public@cabforum.org <mailto:public@cabforum.org>> wrote:



On Sun, Apr 15, 2018 at 2:18 AM, Dimitris Zacharopoulos via Public <public@cabforum.org <mailto:public@cabforum.org>> wrote:


    I am looking for two endorsers for the following ballot.

    Dimitris.

    *Ballot XXX - Update Section 8.4 for CA audit criteria*

    The following motion has been proposed by Dimitris Zacharopoulos
    of HARICA and endorsed by ___ and ___

    *Background*:

    Section 8.4 of the Baseline Requirements describes the audit
    criteria for CAs that issue Publicly-Trusted SSL/TLS
    Certificates. This ballot attempts to achieve two things:

     1. Remove the old ETSI TS documents
    2.

        Align the WebTrust <https://www.cabforum.org/wiki/WebTrust>
        and ETSI requirements

    "WebTrust <https://www.cabforum.org/wiki/WebTrust> for
    Certification Authorities" is equivalent to "ETSI EN 319 401" and
    "WebTrust <https://www.cabforum.org/wiki/WebTrust> Principles and
    Criteria for Certification Authorities – SSL Baseline with
    Network Security" is the equivalent of "ETSI EN 319 411-1".

    *-- MOTION BEGINS --*

    Replace the first two numbered items in section 8.4 of the
    Baseline Requirements from:

    1.

        WebTrust <https://www.cabforum.org/wiki/WebTrust> for
        Certification Authorities v2.0;

     2. A national scheme that audits conformance to ETSI TS 102 042
        / ETSI EN 319 411-1; or

    to:

    1.

        WebTrust <https://www.cabforum.org/wiki/WebTrust> Principles
        and Criteria for Certification Authorities – SSL Baseline
        with Network Security;

     2. A national scheme that audits conformance to ETSI EN 319
        411-1; or


As noted several times that this has come up in the past, your proposed change to #1 is meaningfully and substantially different than what is currently required. You are proposing *changing* the audit scheme to a more restrictive set. That's something in the past that browsers have objected to, and for good reason.

I agree with Ryan.  Based on your description, Dimitris, of the alignment between WebTrust and ETSI, it seems that the appropriate change is to require WebTrust for CA v2.1 or a national scheme that audits conformance to ETSI EN 319 401 V2.1.1.


Perhaps I missed that discussion but the intention here is to include the superset of audit requirements for CAs that issue Publicly-Trusted SSL/TLS Certificates . For example, ETSI EN 319 411-1 includes ETSI EN 319 401 as a prerequisite which is similar to WebTrust for CAs v2. Are you saying that WebTrust for CAs SSL Baseline with Network Security does not have WebTrust for CAs v2 as a prerequisite?

If that's the case, and if the Baseline Requirements apply to SSL/TLS Certificates, then the logical requirement to make it clearer would be:

 * WebTrust for CAs + WebTrust for CAs SSL Baseline with Network
   Security or;
 * ETSI EN 319 401 + ETSI EN 319 411-1

Otherwise, if we only keep the WebTrust for CAs requirement as it exists today, it would make more sense to require for ETSI EN 319 401 (as Peter suggested) instead of 411-1 which includes parts of the baseline requirements and network security.

Is there any compelling reason why we shouldn't require both?

Peter, we could include version numbers and some language to state "or newer", otherwise we might end up with out-of-date versions. Also, I noticed that WebTrust provides guidance on which versions should be used for which audit periods so there might be CAs audited against v.2.0 and others against v2.1.


Dimitris.


Thanks,
Peter

_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Reply via email to