Re: Questions regarding the qualifications and competency of TUVIT

On 30/10/2018 6:28 μμ, Ryan Sleevi via dev-security-policy wrote: This establishes who the CAB is and who the NAB is. As the scheme used in eIDAS for CABs is ETSI EN 319 403, the CAB must perform their assessments in concordance with this scheme, and the NAB is tasked with assessing their

Re: Questions regarding the qualifications and competency of TUVIT

There's a lot of nitpicking in this, and I feel that if you want to continue this discussion, it would be better off in a separate thread on terminology. I disagree with some of the claims you've made, so have corrected them for the discussion. I would much rather keep this focused on the

Clarifications on ETSI terminology and scheme

On 31/10/2018 4:47 μμ, Ryan Sleevi via dev-security-policy wrote: There's a lot of nitpicking in this, and I feel that if you want to continue this discussion, it would be better off in a separate thread on terminology. I disagree with some of the claims you've made, so have corrected them for

Re: Clarifications on ETSI terminology and scheme

On Wed, Oct 31, 2018 at 12:55 PM Dimitris Zacharopoulos via dev-security-policy wrote: > > > On 31/10/2018 4:47 μμ, Ryan Sleevi via dev-security-policy wrote: > > There's a lot of nitpicking in this, and I feel that if you want to > > continue this discussion, it would be better off in a

Re: Questions regarding the qualifications and competency of TUVIT

On 2018-10-31 16:42, Wiedenhorst, Matthias wrote: In several emails, we answered to his complaint, explained our procedures and justified the classification of the encoding error as minor (non-critical) non-conformity. I think we never consider encoding errors as a minor error. Kurt

Re: Questions regarding the qualifications and competency of TUVIT

On Wed, Oct 31, 2018 at 11:43 AM Wiedenhorst, Matthias via dev-security-policy wrote: > · Since January 2018, T-Systems issued EV certificates with an > incorrect qcStatement. T-Systems was made aware of the problem in October > 2018, i.e. for about 9 month the error was not

Re: Clarifications on ETSI terminology and scheme

On Wed, Oct 31, 2018 at 4:05 PM Dimitris Zacharopoulos wrote: > > For example, when we talk about expectations of CAs, we don't talk about > > what they 'could' do, we talk about what they MUST do, because at the end > > of the day, that's the bar they're being held to. It's certainly true >

Re: AC Camerfirma's CP & CPS disclosure

Camerfirma has delivered point-in-time audits as required by Mozilla in response to the annual audit statements we received in July containing multiple qualifications. The new audit statements along with the history of this issue can be found at https://bugzilla.mozilla.org/show_bug.cgi?id=1478933

Re: Clarifications on ETSI terminology and scheme

On 31/10/2018 8:00 μμ, Ryan Sleevi via dev-security-policy wrote: [...] Dimitris, I'm sorry, but I don't believe this is a correct correction. EN 319 403 incorporates ISO/IEC 17065; much like the discussion about EN 319 411-2 incorporating, but being separate from, EN 319 411-1, the