Thanks Peter, I think we are in agreement. Dimitris.
-----Original Message----- From: "Peter Miškovič via dev-security-policy" <dev-security-policy@lists.mozilla.org> To: Dimitris Zacharopoulos <ji...@it.auth.gr>, Wayne Thayer <wtha...@mozilla.com>, mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Sent: Fri, 11 May 2018 12:53 Subject: RE: Policy 2.6 Proposal: Update Minimum Audit Versions Hi Dimitris, the official list of ETSI published standards you can find at http://www.etsi.org/standards-search#Pre-defined%20Collections If you search for ETSI EN 319 411 you can find that only officially ETSI published versions for ETSI EN 319 411-1 were V1.1.1 (2016-02) and V1.2.2 (2018-04). Any other version, according document history on the last page of standard, were version for EN approval Procedure (V1.2.0) or Vote (V1.2.1). It means that versions 1.2.0 and 1.2.1 were not officially published by ETSI. For ETSI EN 319 411-2 you can find that only official ETSI published version were versions V2.1.1 (2016-02) and V2.2.2 (2018-04). According this the minimal requirements should looks like: “Trust Service Providers practice” in ETSI EN 319 411-1 version 1.1.1 or version 1.2.2 or later ETSI officially published version. “Trust Service Providers practice” in ETSI EN 319 411-2 version 2.1.1 or version 2.2.2 or later ETSI officially published version Regards Peter -----Original Message----- From: Dimitris Zacharopoulos <ji...@it.auth.gr> Sent: Friday, May 11, 2018 7:23 AM To: Peter Miškovič <peter.misko...@disig.sk>; Wayne Thayer <wtha...@mozilla.com>; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Policy 2.6 Proposal: Update Minimum Audit Versions Hello Peter, These were very recently published however not everyone is tracking down ETSI updates by registering to the mailing lists. The main question is where can you find the authoritative document *list*? I though the official list is https://portal.etsi.org/TBSiteMap/ESI/TrustServiceProviders.aspx. Also, were there any other versions published before 1.2.2? The recommendation says "1.2 or later". Where are the versions 1.2.0, 1.2.1 published? Thanks, Dimitris. On 11/5/2018 8:13 πμ, Peter Miškovič via dev-security-policy wrote: > There were published a new versions of both ETSI standards: > > ETSI EN 319 411-1 V1.2.2 adopted on April 23, 2018 > http://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.02.02_60 > /en_31941101v010202p.pdf > > ETSI EN 319 411-2 V2.2.2 adopted on April 23, 2018 > http://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.02.02_60 > /en_31941102v020202p.pdf > > Peter > > -----Original Message----- > From: dev-security-policy > <dev-security-policy-bounces+peter.miskovic=disig...@lists.mozilla.org > > On Behalf Of Wayne Thayer via dev-security-policy > Sent: Thursday, May 10, 2018 5:04 PM > To: mozilla-dev-security-policy > <mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Policy 2.6 Proposal: Update Minimum Audit Versions > > After consulting with representatives from WebTrust and ETSI, I > propose that we update the minimum required versions of audit criteria > in section > 3.1.1 as follows: > > - WebTrust "Principles and Criteria for Certification Authorities - > Extended Validation SSL" from 1.4.5 to 1.6.0 or later > - “Trust Service Providers practice” in ETSI EN 319 411-1 from 1.1.1 > to 1.2 or later > - “Trust Service Providers practice” in ETSI EN 319 411-2 from 2.1.1 > to > 2.2 or later > > These newer versions were all published last year and should be the minimum > for audits completed from now on. > > Please respond with any concerns you have about this update to our root store > policy. > > - Wayne > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy