Re: Policy 2.6 Proposal: Audit requirements for new subCA certificates

ch policies apply. >> >> Based on the feedback so far, none of these options is desirable. I > propose that we only make the change to section 5.3.2 of the Mozilla policy > that clarifies the audit requirements for new subCA certificates, as > follows: > > If the subord

Re: Policy 2.6 Proposal: Audit requirements for new subCA certificates

rable. I propose that we only make the change to section 5.3.2 of the Mozilla policy that clarifies the audit requirements for new subCA certificates, as follows: If the subordinate CA has a currently valid audit report at the time of > creation of the certificate, it MUST appear on the subordinat

Re: Policy 2.6 Proposal: Audit requirements for new subCA certificates

[mailto:wtha...@mozilla.com] > *Sent:* Thursday, April 5, 2018 1:56 PM > *To:* Ben Wilson <ben.wil...@digicert.com> > *Cc:* Dimitris Zacharopoulos <ji...@it.auth.gr>; r...@sleevi.com; > mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org > > &

Re: Policy 2.6 Proposal: Remove obsolete ETSI audit requirements

I've gone ahead and removed references to ETSI TS 101 456 and TS 102 042 from the 2.6 branch of the policy: https://github.com/mozilla/pkipolicy/commit/49a07119a1fd5c887d4b506f60e210fad941b26a - Wayne On Tue, Mar 27, 2018 at 12:44 PM, Wayne Thayer wrote: > There has been

RE: Policy 2.6 Proposal: Audit requirements for new subCA certificates

om; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Policy 2.6 Proposal: Audit requirements for new subCA certificates On Thu, Apr 5, 2018 at 12:05 PM, Ben Wilson <ben.wil...@digicert.com <mailto:ben.wil...@digicert.com> > wrote: If I c

RE: Policy 2.6 Proposal: Audit requirements for new subCA certificates

Zacharopoulos via dev-security-policy Sent: Thursday, April 5, 2018 12:56 PM To: r...@sleevi.com Cc: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org>; Wayne Thayer <wtha...@mozilla.com> Subject: Re: Policy 2.6 Proposal: Audit requirements for new subCA certificates O

Re: Policy 2.6 Proposal: Audit requirements for new subCA certificates

[1] we decided to clarify the audit requirements for new subordinate CA certificates. I’ve drafted a change that requires the new certificate to appear in the next periodic audits and in the CP/CPS prior to issuance: https://github.com/mozilla/pkipolicy/commit/09867ef4a0db3b1c ab162930c0326c84d272ec

Re: Policy 2.6 Proposal: Audit requirements for new subCA certificates

On Thu, Apr 5, 2018 at 5:20 AM, Dimitris Zacharopoulos via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > On 5/4/2018 12:02 πμ, Wayne Thayer via dev-security-policy wrote: > >> In a recent discussion [1] we decided to clarify the audit requirements >>

Policy 2.6 Proposal: Audit requirements for new subCA certificates

In a recent discussion [1] we decided to clarify the audit requirements for new subordinate CA certificates. I’ve drafted a change that requires the new certificate to appear in the next periodic audits and in the CP/CPS prior to issuance: https://github.com/mozilla/pkipolicy/commit

Re: Policy 2.6 Proposal: Remove obsolete ETSI audit requirements

There has been a lot of confusion about the transition to the new standards, and I believe that this change makes it clearer that Mozilla no longer accepts audits based on the older ETSI standards. On Tue, Mar 27, 2018 at 4:28 AM, Julian Inza via dev-security-policy <

Re: Policy 2.6 Proposal: Remove obsolete ETSI audit requirements

I support this change. Previously accepted audits are covered by previously accepted policies, so there's no issue since there should be no new audits going forward using these criteria, much in the same way all new, valid WebTrust audits are using the new criteria. On Mon, Mar 26, 2018 at 4:41

Re: Policy 2.6 Proposal: Remove obsolete ETSI audit requirements

European Conformity Assessment Bodies are nowadays issuing Audit Certificates aligned with EN 319 401, EN 319-411-1 and EN 319 411-2 standards. There is no need to explicitly deny validity to previous standars, because as Jakob states, they can reflect the chain of audits. In fact, TS 102 042

Re: Policy 2.6 Proposal: Remove obsolete ETSI audit requirements

On 26/03/2018 22:41, Wayne Thayer wrote: Mozilla policy section 3.1.2.2 states: ETSI TS 102 042 and TS 101 456 audits are only acceptable for audit periods ending in July 2017 or earlier. Now that we are past this deadline, I propose that we remove all references to ETSI TS 102 042 and 101

Policy 2.6 Proposal: Remove obsolete ETSI audit requirements

Mozilla policy section 3.1.2.2 states: ETSI TS 102 042 and TS 101 456 audits are only acceptable for audit periods > ending in July 2017 or earlier. > Now that we are past this deadline, I propose that we remove all references to ETSI TS 102 042 and 101 456 from the policy. This is:

RE: Audit requirements

with issuing policies, profiles, and technical requirements. > > Of-course the ETSI report, or its Annex also includes the whole list of the > subordinates too. > > Also the Microsoft doesn't accepts audit report without the subordinate list, > so its mandatory nowadays. > >

Re: Audit requirements

ng subcas are checked against the compliance > with issuing policies, profiles, and technical requirements. > > Of-course the ETSI report, or its Annex also includes the whole list of the > subordinates too. > > Also the Microsoft doesn't accepts audit report without the su

RE: Audit requirements

Annex also includes the whole list of the subordinates too. Also the Microsoft doesn't accepts audit report without the subordinate list, so its mandatory nowadays. I think what is important to add the 319411-1 and -2 to the actual acceptable audit requirements, because the MS ask

Re: Audit requirements

that a CP-to-CPS analysis was conducted along with annual core requirements. WebTrust has recognized this additional requirement as part of their Certification Compliance Matrix. If anyone is interested, FPKI Compliance Audit Requirements can be found here https://www.idmanagement.gov/IDM/s

RE: Audit requirements

curity-pol...@lists.mozilla.org Subject: Re: Audit requirements On Fri, Sep 23, 2016 at 5:29 AM, Kurt Roeckx <k...@roeckx.be> wrote: > On 2016-09-23 00:57, Peter Bowen wrote: >> >> Kathleen, Gerv, Richard and m.d.s.p, >> >> In reviewing the WebTrust audit documentat

Re: Audit requirements

On Fri, Sep 23, 2016 at 5:29 AM, Kurt Roeckx wrote: > On 2016-09-23 00:57, Peter Bowen wrote: >> >> Kathleen, Gerv, Richard and m.d.s.p, >> >> In reviewing the WebTrust audit documentation submitted by various CA >> program members and organizations wishing to be members, it seems

Re: Audit requirements

On 23/09/2016 14:29, Kurt Roeckx wrote: On 2016-09-23 00:57, Peter Bowen wrote: Kathleen, Gerv, Richard and m.d.s.p, In reviewing the WebTrust audit documentation submitted by various CA program members and organizations wishing to be members, it seems there is possibly some confusion on what

Audit requirements

Kathleen, Gerv, Richard and m.d.s.p, In reviewing the WebTrust audit documentation submitted by various CA program members and organizations wishing to be members, it seems there is possibly some confusion on what is required by Mozilla. I suspect this might also span to ETSI audit