Specialist Task Force 438:
Guidance on TS 102 042 for CAB Forum Baseline Certificates

The objective of this STF is to provide guidance on the application of TS 102 042 (ESI – Policy requirements for the specification for certification authorities issuing public certificates) to certification authorities (CAs) issuing Baseline SSL certificates as specified by the CA Brower Forum (CAB Forum).  This will include guidance for application of policy requirements specified in TS 102 042 to CAs applying the CAB Forum Baseline, as well as the application of CSP conformity assessment and audit of such CAs The guidance documentation is planned to include a conformance checklist which can be used by CAs and Auditors to check conformance to use of TS 102 042 applied to baseline certificates.  This guidance will be similar to that previously developed for the CAB Forum Extended Validation level, but applied at the Baseline. In this sense the guidance enables the CA business and enhances the importance of ETSI TS 102 042 in market segment of (non EV) SSL certificates and will be a building block for enabling organizational certificates.

For more details, see our Terms of Reference

With the recent compromise of major providers of public key certification services, and subsequent questions in the European parliament, concern has been raised for the definition of measures the need to apply rigours controls to the security of all such certification service providers. Recognising this the CAB Forum have applied the same type of security controls for auditing certification service providers as the “baseline” for all such services, as has already been applied to a higher level “Extended Validation” service.  The baseline, as with the Extended Validation CAB Forum controls need to applied within a more general framework for security and audit of certification services providers.  This can be achieved within the context of TS 102 042 but requires adaption to be applicable to the baseline context. Indeed, without further guidance, particularly to assist CAs and their auditors in assessing conformity to TS 102 042 for EV European CAs are likely to be dominated to the alternative criteria, developed in North America, Webtrust, which does not fit in well with existing CA European practices (in particular those used by CAs issuing qualified certificates).  Concerns have already been expressed in the CAB Forum about the lack of details for audit and conformance assessment of TS 102 042 and without further guidance the acceptability of the use of the ETSI specification is likely to be called into question.

On 21/09/2010 the European Parliament adopted a resolution on completing the internal market for e-commerce, the outcome of the STF can be an important building block for raise e-commerce users’ confidence in an European Trust Seal.

http://www.europarl.europa.eu/oeil/FindByProcnum.do?lang=en&procnum=INI/2010/2012

The STF activity will be:

• Identify detailed requirements for the application of TS 102 042 to Baseline SSL Certificates including the conformity assessment.

• Produce a Technical Report on Guidance on TS 102 042 for Issuing Baseline SSL Certificates for Auditors, CSP and Application software vendors.

• Handle and answer Request for Changes to existing specifications (TS 102 042, TR 101 564 and the Conformity assessment guidance documents to be produced by STF 412)

• Dissemination of the results.

  This activity has strong links with the work of the CABForum 

The output of the STF will be a substantial building block for a baseline security level for any certification providers issuing certificates to webservers, under the form of an ETSI Technical Report (TR): “Guidance on TS 102 042 for Issuing Baseline SSL Certificates for Auditors, CSP and Application software vendors.”

The STF will also identify changes required to TS 102 042, TR 101 564 etc., as appropriate.

Total duration: 10 months, from January 2012 to November 2012.

 If you would like more information, please contact the STF Leader: arno.fiedler@TELETRUST.DE

This information is based upon STF working assumptions.
The views expressed do not necessarily represent the position of ETSI in this context.

Last updated: 2012-05-11 15:09:29