subject:"Policy 2.6 Proposal\: Remove obsolete ETSI audit requirements"

Re: Policy 2.6 Proposal: Remove obsolete ETSI audit requirements

2018-04-11 Thread Wayne Thayer via dev-security-policy

I've gone ahead and removed references to ETSI TS 101 456 and TS 102 042
from the 2.6 branch of the policy:
https://github.com/mozilla/pkipolicy/commit/49a07119a1fd5c887d4b506f60e210fad941b26a

- Wayne


On Tue, Mar 27, 2018 at 12:44 PM, Wayne Thayer  wrote:

> There has been a lot of confusion about the transition to the new
> standards, and I believe that this change makes it clearer that Mozilla no
> longer accepts audits based on the older ETSI standards.
>
> On Tue, Mar 27, 2018 at 4:28 AM, Julian Inza via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> European Conformity Assessment Bodies are nowadays issuing Audit
>> Certificates aligned with EN 319 401, EN 319-411-1 and EN 319 411-2
>> standards.
>>
>> There is no need to explicitly deny validity to previous standars,
>> because as Jakob states, they can reflect the chain of audits.
>>
>> In fact, TS 102 042 and TS 101 456 are basically the same standards, but
>> instead of changing only the version number, ETSI opted to renew the full
>> reference code, more in the approach of IETF for RFCs.
>>
>> The Mozilla rule also is aligned with CAB Forum Baseline Requirements for
>> the Issuance and Management of Publicly-Trusted Certificates and Extended
>> Validation SSL Certificate Guidelines, and any change to those documents
>> would need a ballot.
>>
>> This is the kind of confusion that I hope to avoid. Mozilla policy is not
> aligned with the BRs now that Mozilla does not accept TS 102 042 and TS 101
> 456 audits.
>
> Regards,
>>
>> Julian Inza
>>
>>
>>
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Remove obsolete ETSI audit requirements

2018-03-27 Thread Wayne Thayer via dev-security-policy

There has been a lot of confusion about the transition to the new
standards, and I believe that this change makes it clearer that Mozilla no
longer accepts audits based on the older ETSI standards.

On Tue, Mar 27, 2018 at 4:28 AM, Julian Inza via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> European Conformity Assessment Bodies are nowadays issuing Audit
> Certificates aligned with EN 319 401, EN 319-411-1 and EN 319 411-2
> standards.
>
> There is no need to explicitly deny validity to previous standars, because
> as Jakob states, they can reflect the chain of audits.
>
> In fact, TS 102 042 and TS 101 456 are basically the same standards, but
> instead of changing only the version number, ETSI opted to renew the full
> reference code, more in the approach of IETF for RFCs.
>
> The Mozilla rule also is aligned with CAB Forum Baseline Requirements for
> the Issuance and Management of Publicly-Trusted Certificates and Extended
> Validation SSL Certificate Guidelines, and any change to those documents
> would need a ballot.
>
> This is the kind of confusion that I hope to avoid. Mozilla policy is not
aligned with the BRs now that Mozilla does not accept TS 102 042 and TS 101
456 audits.

Regards,
>
> Julian Inza
>
>
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Remove obsolete ETSI audit requirements

2018-03-27 Thread Ryan Sleevi via dev-security-policy

I support this change. Previously accepted audits are covered by previously
accepted policies, so there's no issue since there should be no new audits
going forward using these criteria, much in the same way all new, valid
WebTrust audits are using the new criteria.

On Mon, Mar 26, 2018 at 4:41 PM, Wayne Thayer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Mozilla policy section 3.1.2.2 states:
>
> ETSI TS 102 042 and TS 101 456 audits are only acceptable for audit periods
> > ending in July 2017 or earlier.
> >
>
> Now that we are past this deadline, I propose that we remove all references
> to ETSI TS 102 042 and 101 456 from the policy.
>
> This is: https://github.com/mozilla/pkipolicy/issues/108
>
> ---
>
> This is a proposed update to Mozilla's root store policy for version
> 2.6. Please keep discussion in this group rather than on GitHub. Silence
> is consent.
>
> Policy 2.5 (current version):
> https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Remove obsolete ETSI audit requirements

2018-03-27 Thread Julian Inza via dev-security-policy

European Conformity Assessment Bodies are nowadays issuing Audit Certificates 
aligned with EN 319 401, EN 319-411-1 and EN 319 411-2 standards.

There is no need to explicitly deny validity to previous standars, because as 
Jakob states, they can reflect the chain of audits.

In fact, TS 102 042 and TS 101 456 are basically the same standards, but 
instead of changing only the version number, ETSI opted to renew the full 
reference code, more in the approach of IETF for RFCs.

The Mozilla rule also is aligned with CAB Forum Baseline Requirements for the 
Issuance and Management of Publicly-Trusted Certificates and Extended 
Validation SSL Certificate Guidelines, and any change to those documents would 
need a ballot.

Regards,

Julian Inza

 El martes, 27 de marzo de 2018, 8:43:31 (UTC+2), Jakob Bohm  escribió:
> On 26/03/2018 22:41, Wayne Thayer wrote:
> > Mozilla policy section 3.1.2.2 states:
> > 
> > ETSI TS 102 042 and TS 101 456 audits are only acceptable for audit periods
> >> ending in July 2017 or earlier.
> >>
> > 
> > Now that we are past this deadline, I propose that we remove all references
> > to ETSI TS 102 042 and 101 456 from the policy.
> > 
> > This is: https://github.com/mozilla/pkipolicy/issues/108
> > 
> > ---
> > 
> > This is a proposed update to Mozilla's root store policy for version
> > 2.6. Please keep discussion in this group rather than on GitHub. Silence
> > is consent.
> > 
> > Policy 2.5 (current version):
> > https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md
> > 
> 
> Will that make such audits (prior to the deadline) unacceptable as part
> of the unbroken audit chain back to first issuance for new roots?
> 
> Enjoy
> 
> Jakob
> -- 
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Remove obsolete ETSI audit requirements

2018-03-27 Thread Jakob Bohm via dev-security-policy


On 26/03/2018 22:41, Wayne Thayer wrote:

Mozilla policy section 3.1.2.2 states:

ETSI TS 102 042 and TS 101 456 audits are only acceptable for audit periods

ending in July 2017 or earlier.



Now that we are past this deadline, I propose that we remove all references
to ETSI TS 102 042 and 101 456 from the policy.

This is: https://github.com/mozilla/pkipolicy/issues/108

---

This is a proposed update to Mozilla's root store policy for version
2.6. Please keep discussion in this group rather than on GitHub. Silence
is consent.

Policy 2.5 (current version):
https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md



Will that make such audits (prior to the deadline) unacceptable as part
of the unbroken audit chain back to first issuance for new roots?

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Policy 2.6 Proposal: Remove obsolete ETSI audit requirements

2018-03-26 Thread Wayne Thayer via dev-security-policy

Mozilla policy section 3.1.2.2 states:

ETSI TS 102 042 and TS 101 456 audits are only acceptable for audit periods
> ending in July 2017 or earlier.
>

Now that we are past this deadline, I propose that we remove all references
to ETSI TS 102 042 and 101 456 from the policy.

This is: https://github.com/mozilla/pkipolicy/issues/108

---

This is a proposed update to Mozilla's root store policy for version
2.6. Please keep discussion in this group rather than on GitHub. Silence
is consent.

Policy 2.5 (current version):
https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Remove obsolete ETSI audit requirements

Re: Policy 2.6 Proposal: Remove obsolete ETSI audit requirements

Re: Policy 2.6 Proposal: Remove obsolete ETSI audit requirements

Re: Policy 2.6 Proposal: Remove obsolete ETSI audit requirements

Re: Policy 2.6 Proposal: Remove obsolete ETSI audit requirements

Policy 2.6 Proposal: Remove obsolete ETSI audit requirements

6 matches

Site Navigation

Mail list logo

Footer information