CA/Browser Forum
Home » Posts » Ballot 171 – Updating the ETSI standards in the CABF documents

Ballot 171 – Updating the ETSI standards in the CABF documents

Voting on Ballot 171, “Updating ETSI standards in CABF documents” is now closed. The results are as follows:

From the CAs, we received 13 YES votes, 0 NO votes and 3 Abstentions

From the Browsers, we received 1 YES vote, 0 NO votes and 0 Abstentions.

Therefore the ballot passes. Full voting results can be found here: https://docs.google.com/spreadsheets/d/1FBsMZjlzyvK3mFR1u4qMqvZwlI86yJ-v0am1pCBo8uI/edit?pref=2&pli=1#gid=4

Dean Coclin CA/B Forum Chair

Ballot 171 – Updating the ETSI standards in the CABF documents

The following motion has been proposed by Iñigo Barreira of Izenpe and endorsed by Mads Henriksveen of Buypass, Jochem van den Berge of Logius PKIoverheid and Arno Fiedler of D-trust

  • MOTION BEGINS –

In the BRs,

In section 1.6.3 References, change:

ETSI TS 119 403, Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment ‐ General Requirements and Guidance.

With

ETSI EN 319 403, Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment – Requirements for conformity assessment bodies assessing Trust Service Providers

and add:

ETSI EN 319 411-1, Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates;

Part 1: General requirements

In section 8.2 Identity/qualification of assessor, point 4, change:

  1. (For audits conducted in accordance with any one of the ETSI standards) accredited in accordance with ETSI TS 119 403, or accredited to conduct such audits under an equivalent national scheme, or accredited by a national accreditation body in line with ISO 27006 to carry out ISO 27001 audits;

With

  1. (For audits conducted in accordance with any one of the ETSI standards) accredited in accordance with ISO 17065 applying the requirements specified in ETSI EN 319 403;

In section 8.4 Topics covered by assessment, point 2, change:

  1. A national scheme that audits conformance to ETSI TS 102 042;

With

  1. A national scheme that audits conformance to ETSI TS 102 042/ ETSI EN 319 411-1;

In the EV guidelines,

In section 8.2.1 Implementation, point (B), change:

(B) Implement the requirements of (i) the then-current WebTrust Program for CAs, and (ii) the then-current WebTrust

EV Program or ETSI TS 102 042; and

With

(B) Implement the requirements of (i) the then-current WebTrust Program for CAs, and (ii) the then-current WebTrust

EV Program or ETSI TS 102 042 for EVCP or ETSI EN 319 411-1 for EVCP policy; and

In section 8.2.2 Disclosure, change:

The CA is also REQUIRED to publicly disclose its CA business practices as required by both WebTrust for CAs and ETSI TS 102 042.

With

The CA is also REQUIRED to publicly disclose its CA business practices as required by WebTrust for CAs and ETSI TS 102 042 and ETSI EN 319 411-1.

In section 17.1 Eligible audit schemes, point (ii), change:

(ii) ETSI TS 102 042 audit

With

(ii) ETSI TS 102 042 audit for EVCP, or

(iii) ETSI EN 319 411-1 audit for EVCP policy

In section 17.4 pre-issuance readiness audit, after point (2), add:

(3) If the CA has a currently valid ETSI EN 319 411-1 audit for EVCP policy, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against ETSI EN 319 411-1 for EVCP.

and change:

(3) If the CA does not have a currently valid WebTrust Seal of Assurance for CAs or an ETSI 102 042 audit, then, before

issuing EV Certificates, the CA and its Root CA MUST successfully complete either: (i) a point-in-time readiness

assessment audit against the WebTrust for CA Program, or (ii) a point-in-time readiness assessment audit against the

WebTrust EV Program, or an ETSI TS 102 042 audit.

With

(4) If the CA does not have a currently valid WebTrust Seal of Assurance for CAs or or an ETSI TS 102 042 EVCP or an ETSI EN 319 411-1 audit for EVCP policy, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete either: (i) a point-in-time readiness assessment audit against the WebTrust for CA Program, or (ii) a point-in-time readiness assessment audit against the WebTrust EV Program, or an ETSI TS 102 042 EVCP, or an ETSI EN 319 411-1 for EVCP policy.

Motion ends

The review period for this ballot shall commence at 2200 UTC on 17 June 2016, and will close at 2200 UTC on 24 June 2016. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on 1 July 2016. Votes must be cast by posting an on-list reply to this thread.

A vote in favor of the motion must indicate a clear ‘yes’ in the response. A vote against must indicate a clear ‘no’ in the response. A vote to abstain must indicate a clear ‘abstain’ in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: /about-members/

In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Quorum is currently ten (10) members– at least ten members must participate in the ballot, either by voting in favor, voting against, or abstaining.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed

Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.6 - Ballot SMC08 - Aug 29, 2024

This ballot sets a date by which issuance of certificates following the Legacy generation profiles must cease. It also includes the following minor updates:

  • Pins the domain validation procedures to v 2.0.5 of the TLS Baseline Requirements while the ballot activity for multi-perspective validation is concluded, and the SMCWG determines its corresponding course of action;
  • Updates the reference for SmtpUTF8Mailbox from RFC 8398 to RFC 9598; and
  • Small text corrections in the Reference section

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).