On Monday, April 11, 2016 at 9:04:32 PM UTC+2, Kathleen Wilson wrote: > All, > > I previously updated section 11 of the draft of version 2.3 of Mozilla's CA > Certificate Inclusion Policy to reflect the new ETSI numbers. > > Please see section 11 of > http://mozilla.github.io/ca-policy/InclusionPolicy.html > and > https://wiki.mozilla.org/CA:CertificatePolicyV2.3#Changes_Made_to_DRAFT_Version_2.3 > > However, there appears to be some differences in the name and number of the > ETSI criteria. My understanding is that ETSI TS 119 411 and ETSI EN 319 411 > are equivalent. But CAs in some EU member states are required to use ETSI EN > 319 411 instead of ETSI TS 119 411 (the ETSI standard). > > So, should I update the bullet points as follows, to add '(or ETSI EN 319 > 411-...)'? > Or should I add two separate bullet points for ETSI EN 319 411-1 and ETSI EN > 319 411-2? > > ~~ > - Clause 6 "Trust Service Providers practice" in ETSI TS 119 411-1 *(or ETSI > EN 319 411-1)* V1.0.1 or later version Policy and security requirements for > Trust Service Providers issuing certificates; Part 1: General requirements > (as applicable to the "EVCP" and "EVCP+" certificate policies, DVCP and OVCP > certificate policies for publicly trusted certificates - baseline > requirements and any of the and any of the "NCP", "NCP+", or "LCP" > certificate policies); > > - Clause 6 "Trust Service Providers practice" in ETSI TS 119 411-2 *(or ETSI > EN 319 411-2)* V2.0.7 or later version Policy and security requirements for > Trust Service Providers issuing certificates; Part 2: Requirements for trust > service providers issuing EU qualified certificates (only applicable to > electronic signature certificate issuance; applicable to either "QCP-l" or > "QCP-l-qscd" or "QCP-n" or ''QCP-n-qscd'' or ''QCP-w). > ~~ > > I apologize for my delay in updating Mozilla's CA Certificate Policy. In the > meantime, I will treat the changes in the draft version > (http://mozilla.github.io/ca-policy/) as accepted. For instance, I will > accept the new ETSI audit criteria even though it is only in the draft of > version 2.3 of the policy. > > Thanks, > Kathleen
All, will try to help the ETSI TS 119 411 were created for the interim, meanwhile the ETSI EN 319 411 were published, but once these ENs are published, TSPs should use these. Part 1 (411-1) is for the Publicly trusted certificates as defined by the CABF, so covering the BRs for DV and OV SSL certs, and EV guidelines for EV SSL cert. Plus some other certificate policies such as LCP, NCP, etc. This is basically the subsitute of the TS 102 042 Part 2 (411-2) is for qualified certificates to meet eIDAS requirements, for certificates issued to natural and legal persons as well as websites considered qualified. This is the substitue of the TS 101 456 and it´s based on part 1. So, IMHO, I wouldn´t use the TS 119 411 and will have 2 bullets, one for part 1 and another one for part 2 for those TSPs that are going to issue qualified website certificates which are covered by this part 2. Regards _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
