Ballot 31 – Allow ETSI 102 042

Ballot 31 – Allow ETSI 102 042 (Passed)

Motion

Iñigo Barreira has made the following motion, and Bjorn Vermo and Tom Albertson have endorsed it:

Motion begins

1. On page 3, replace: “Other groups that have participated in the process of developing these Guidelines include members of the Information Security Committee of the American Bar Association Section of Science & Technology Law, and WebTrust for CA. Participation by such groups does not imply their endorsement, recommendation or approval of the final product.”

With: “Other groups that have participated in the process of developing these Guidelines include members of the Information Security Committee of the American Bar Association Section of Science & Technology Law, WebTrust for CA and ETSI ESI. Participation by such groups does not imply their endorsement, recommendation or approval of the final product.”

2. In Section 4.a, replace: “Comply with the requirements of (i) the then-current WebTrust Program for CAs, and (ii) the then-current WebTrust EV Program, or an equivalent for both (i) and (ii) as approved by the CA/Browser Forum; and”

With: “Comply with the requirements of the then-current WebTrust program for CAs v1.0 or later [http://infotech.aicpa.org/Resources/System+Security+and+Reliability/System+Reliability/Trust+Services/WebTrust+for+Certification+Authorities.htm]1 , completed by a licensed WebTrust for CAs auditor or ETSI TS 102 042 V2.1.1 or later [http://pda.etsi.org/pda/home.asp?wki_id=tmTZH@WhLn_.’0,.QCFnV]3 ; and”

3. In Section 4.b.1.B, replace: “Implement the requirements of (i) the then current WebTrust Program for CAs, and (ii) the then-current WebTrust EV Program, or an equivalent for both (i) and (ii) as approved by the CA/Browser Forum;”

With: “Implement the requirements of (i) the then-current WebTrust Program for CAs, and (ii) the then-current WebTrust EV Program or ETSI TS 102 042 V2.1.1;”

4. In Section 4.b, replace: “The CA is also REQUIRED to publicly disclose its CA business practices such as are required for public disclosure by the WebTrust for CA requirements.”

With: “The CA is also REQUIRED to publicly disclose its CA business practices as required by WebTrust for CAs or ETSI TS 102 042 V2.1.1.”

5. In Section 35, replace: “(1) If the CA has a currently valid WebTrust Seal of Assurance for CAs (or a currently valid unqualified opinion indicating compliance with equivalent audit procedures approved by the CA/Browser Forum), then before issuing EV Certificates the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against the WebTrust EV Program, or a point-in-time readiness assessment audit against equivalent audit procedures approved by the CA/Browser Forum.

(2) If the CA does not have a currently valid WebTrust Seal of Assurance for CAs (or a currently valid unqualified opinion indicating compliance with equivalent audit procedures approved by the CA/Browser Forum), then before issuing EV Certificates the CA and its Root CA MUST successfully complete both: (i) a point-in-time readiness assessment audit against the WebTrust for CA Program, and (ii) a point-in-time readiness assessment audit against the WebTrust EV Program, or”

With: “(1) If the CA has a currently valid WebTrust Seal of Assurance for CAs, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against the WebTrust EV Program.

(2) If the CA has a currently valid ETSI 102 042 audit, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against ETSI TS 102 042 V2.1.1.

(3) If the CA does not have a currently valid WebTrust Seal of Assurance for CAs or an ETSI 102 042 audit, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete either: (i) a point-in-time readiness assessment audit against the WebTrust for CA Program, and (ii) a point-in-time readiness assessment audit against the WebTrust EV Program or an ETSI TS 102 042 V2.1.1. audit, or”

6. In Section 35 c, replace: “(1) During the period in which it issues EV Certificates, the CA and its Root CA MUST undergo and pass an annual (i) WebTrust Program for CAs audit and (ii) WebTrust EV Program audit, or an equivalent for both (i) and (ii) as approved by the CA/Browser Forum. Such audits MUST cover all CA obligations under these Guidelines regardless of whether they are performed directly by the CA or delegated to an RA or subcontractor.

(2) Government CAs In cases where the CA is a government entity, an annual audit of the government CA by the appropriate internal government auditing agency is acceptable in lieu of the (i) WebTrust Program for CAs audit and (ii) WebTrust EV Program audit specified above, provided that such internal government auditing agency publicly certifies in writing that its audit addresses the criteria specified in the WebTrust Program for CAs and the WebTrust EV Program, and certifies that the government CA has successfully passed the audit”

With: “(1) During the period in which it issues EV Certificates, the CA and its Root CA MUST undergo and pass either an annual (i) WebTrust Program for CAs audit and (ii) WebTrust EV Program audit, or an ETSI TS 102 042 v2.1.1 audit. Such audits MUST cover all CA obligations under these Guidelines regardless of whether they are performed directly by the CA or delegated to an RA or subcontractor.

(2) Government CAs In cases where the CA is a government entity, an annual audit of the government CA by the appropriate internal government auditing agency is acceptable in lieu of the audits specified in (1), above, provided that such internal government auditing agency publicly certifies in writing that its audit addresses the criteria specified in the WebTrust Program for CAs and the WebTrust EV Program or the ETSI TS 102 042 v2.1.1. program, and certifies that the government CA has successfully passed the audit”

7. In Section 35 d, replace: “(1) Be an independent public accounting firm that has proficiency in examining Public Key Infrastructure technology, information security tools and techniques, information technology and security auditing, and the third-party attestation function and be currently licensed to perform WebTrust for CA audits and WebTrust EV Program audits, or to perform such alternate equivalent audits approved by the CA/Browser Forum as will be performed; and”

With: “(1) Be an independent public accounting firm that has proficiency in examining Public Key Infrastructure technology, information security tools and techniques, information technology and security auditing, and the third-party attestation function and be currently licensed to perform WebTrust for CA audits and WebTrust EV Program audits, or licensed according to the laws and policies for assessors in the jurisdiction of the CA; and”

8. Add to the Definitions section: “ETSI TS 102 042 v2.1.1. European Telecommunications Standards Institute, Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates.”

Motion ends

The ballot review period comes into effect at 2100 UTC on 22 July 09 and will close at 2100 UTC on 29 July 2009. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2100 UTC on 6 Aug 2009.

Votes must be cast by ‘reply all’ to this email.

A vote in favour of the motion must indicate a clear ‘yes’ in the response. A vote against must indicate a clear ‘no’ in the response. A vote to abstain must indicate a clear ‘abstain’ in the response. Unclear responses will not be counted.

The latest vote received from any representative of a voting member before the close of the voting period will be counted.