I’m fine with “or equivalent” exceptions for various use cases, as long as we specify what those are and they accomplish the same goals. I do have strong opinions about how “*.gov” should be managed, specifically that I don’t think it’s possible to assure that the domain portion of the email is being consistently validated, absent some oversight by some independent entity.
For government entities, that may be some regulatory body and/or internal review process instead of a traditional WebTrust/ETSI audit, but we should at least make sure that someone is responsible for making sure appropriate controls are in place. -Tim From: Ryan Sleevi <[email protected]> Sent: Monday, January 28, 2019 2:22 PM To: Tim Hollebeek <[email protected]> Cc: Wayne Thayer <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Subject: Re: [cabfpub] Draft SMIME Working Group Charter On Mon, Jan 28, 2019 at 2:17 PM Tim Hollebeek <[email protected] <mailto:[email protected]> > wrote: The intent was that Forum level membership was the union of all CWG membership criteria. If you’re able to join a CWG, you’re a Forum member. I think allowing in unaudited Certificate Issuers would be a huge step backwards. Note that the proposal was not "unaudited" - merely, that the definition of audit be left to "Certificate Consumer", which participation with is already a required property. For example, some Consumers allow audits by government entities, but then constrain issuance using application-specific means (since, after all, this is a trust anchor). Others allow for equivalent audit schemes at their discretion. Thus, it also runs the risk of being a "step backward" to have members who are bound by various rules (such as an S/MIME Guideline) but that are prevented by the Forum from joining unless they change their business, governance, or auditability model. An example of this concretely is the Federal PKI operated in the US. While for SSL/TLS cases, I may be more inclined to agree, S/MIME represents a particular area where given the nature of the 'localpart' of email addresses (fully in control of the organization), delegated CAs and trust relationships are far more common. For example, I don't have strong opinions on how "*.gov" should be managed, with respect to S/MIME, provided that the domain portion of the email is consistently validated.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
