Ballot 31 – Allow ETSI 102 042

Ballot overview

• Ballot 31, Allow ETSI 102 042, proposed changes to the CA/Browser Forum Guidelines to recognize ETSI TS 102 042 V2.1.1 alongside WebTrust-based audits and requirements.
• The ballot page is marked Passed.
• The motion was made by Iñigo Barreira and endorsed by Bjorn Vermo and Tom Albertson.

Main changes proposed

• Updated the list of participating groups in the Guidelines to include ETSI ESI.
• Revised Section 4.a so a CA could comply with either WebTrust for CAs v1.0 or later, completed by a licensed WebTrust for CAs auditor, or ETSI TS 102 042 V2.1.1 or later.
• Revised Section 4.b.1.B so implementation could follow WebTrust requirements or ETSI TS 102 042 V2.1.1.
• Revised Section 4.b so public disclosure of CA business practices could satisfy WebTrust for CAs or ETSI TS 102 042 V2.1.1.
• Revised Section 35 to add ETSI-based readiness assessment and annual audit paths for CAs with a valid ETSI 102 042 audit.
• Revised Section 35 d so assessors could be licensed according to the laws and policies for assessors in the CA’s jurisdiction.
• Added a definition for ETSI TS 102 042 v2.1.1.

Timing stated on the ballot page

• The review period comes into effect at 2100 UTC on 22 July 2009 and closes at 2100 UTC on 29 July 2009.
• Unless withdrawn during review, the voting period starts immediately thereafter and closes at 2100 UTC on 6 Aug 2009.

Compliance impact

• The ballot text proposes that CAs with a currently valid ETSI 102 042 audit must complete a point-in-time readiness assessment audit against ETSI TS 102 042 V2.1.1 before issuing EV Certificates.
• The ballot text also proposes that during the period in which a CA issues EV Certificates, the CA and its Root CA must undergo and pass either the WebTrust audit pair or an ETSI TS 102 042 v2.1.1 audit.
• The evidence does not provide a separate normative effective date beyond the ballot’s proposed timing language.