Ballot 107 – Removing Version Numbers to WebTrust and ETSI Standards From CABF Guidelines (Withdrawn)
Mads Henriksveen made the following motion, and Inigo Barreira from Izenpe and Kirk Hall from Trend Micro endorsed it:
Baseline Requirements (BR)
Implementers’ Note: Version 1.1 of these SSL Baseline Requirements was published on September 14, 2012. Version 1.1 of WebTrust’s SSL Baseline Audit Criteria and ETSI Technical Standard Electronic Signatures and Infrastructures (ESI) 102 042 version 2.3.1 incorporate version 1.1 of these Baseline Requirements and are currently in effect. See http://www.webtrust.org/homepage-documents/item27839.aspx and also http://www.etsi.org/deliver/etsi_ts/102000_102099/102042/02.03.01_60/ts_102042v020301p.pdf .
Section 3. References
ETSI TS 119 403 Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment – General Requirements and Guidance available at: http://www.etsi.org/deliver/etsi_ts/119400_119499/119403/01.01.01_60/ts_119403v010101p.pdf .
ETSI TS 102 042 V2.1.1, Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates.
WebTrust Program for Certification Authorities Version 2.0, available at http://www.webtrust.org/homepage-documents/item27839.aspx.
Section 17.1 Eligible Audit Schemes
The CA SHALL undergo an audit in accordance with one of the following schemes:
1. WebTrust Program for Certification Authorities v2.0 audit;
2. A national scheme that audits conformance to ETSI TS 102 042 audit including DVCP, OVCP, EVCP or EVCP+;
3. A scheme that audits conformance to ISO 21188:2006; or
4. If a Government CA is required by its Certificate Policy to use a different internal audit scheme, it MAY use such scheme provided that the audit either (a) encompasses all requirements
Section 8.2.1 Implementation
(B) Implement the requirements of (i) the then-current WebTrust Program for CAs, and (ii) the then-current WebTrust EV Program or (ii) the then-current ETSI TS 102 042 EV Certificate Policies (EVCP or EVCP+) V2.1.1; and
Section 8.2.2 Disclosure
Each CA MUST publicly disclose their EV Policies through an appropriate and readily accessible online means that is available on a 24×7 basis. The CA is also REQUIRED to publicly disclose its CA business practices as required by both WebTrust for CAs and ETSI TS 102 042 V2.1.1. The disclosures MUST be structured in accordance with either RFC 2527 or RFC 3647.
Section 17.1 Eligible Audit Schemes
A CA issuing EV Certificates SHALL undergo an audit in accordance with one of the following schemes:
(i) WebTrust Program for Certification Authorites audit and WebTrust EV Program audit, or
(ii) ETSI TS 102 042 v2.1.1 audit including EVCP or EVCP+.
Section 17.4 Pre-Issuance Readiness Audit
(2) If the CA has a currently valid ETSI 102 042 audit, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against ETSI TS 102 042 V2.1.1 EVCP or EVCP+. (3) If the CA does not have a currently valid WebTrust Seal of Assurance for CAs or an ETSI 102 042 audit, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete either: (i) a point-in-time readiness assessment audit against the WebTrust for CA Program, or (ii) a point-in-time readiness assessment audit against the WebTrust EV Program, or an ETSI TS 102 042 V2.1.1. audit including EVCP or EVCP+.
The review period for this ballot shall commence on July 24th, 2013 and will close on July 31, 2013. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at August 7th, 2013. Votes must be cast by posting an on-list reply to this thread.