On 30/1/2019 5:59 μ.μ., Ryan Sleevi wrote:
[...]
The goal of a WG - S/MIME or Code Signing - is not to produce
something that CAs like or even agree with. It's to produce a set of
criteria that reflect the participating Certificate Consumers needs,
so that they can then require it for participation in their Root
Programs. If the requirements do not meet their needs, such Consumers
can choose not to require them. Similarly, such Consumers can impose
their own requirements above and beyond. In both situations, it seems
extremely valuable to support as diverse and varied as possible a set
of participants, to provide feedback for Certificate Consumers in
developing and imposing requirements for their programs. I don't see
how the possession of a WebTrust for CAs audit, over, say,
participation in the US Federal PKI, fundamentally improves the
quality of discourse or feedback. This is especially true if the
consequence of developing and imposing such standards may result in
presently-accepted Certificate Consumers from being excluded from
participation in the future - that's all the more reason to want to
ensure their views and voices are consistently and equally represented.
I think I mentioned this already that the WG should and will be open to
Interested Parties bringing new and improved ideas for the development
of S/MIME guidelines and if they come from a particular audit scheme
that is currently unknown but otherwise meets the same level of our
"known" audit schemes, I don't believe the WG would have a problem
expanding the list of acceptable audit schemes for Certificate Issuers.
If we go back to some old Baseline Requirements
<https://cabforum.org/wp-content/uploads/BRv1.2.5.pdf>, there were more
audit schemes allowed:
"A scheme that audits conformance to ISO 21188:2006; or
4. If a Government CA is required by its Certificate Policy to use a
different internal audit scheme, it MAY use such scheme provided that
the audit either (a) encompasses all requirements of one of the above
schemes or (b) consists of comparable criteria that are available for
public review.
Whichever scheme is chosen, it MUST incorporate periodic monitoring
and/or accountability procedures to ensure that its audits continue to
be conducted in accordance with the requirements of the scheme.
The audit MUST be conducted by a Qualified Auditor, as specified in
Section 17.6. "
Why were these audit schemes dismissed? The CA/B Forum was working with
Code Signing at the time and developed EV Code Signing Guidelines. At
the same time, the CA/B Forum's Bylaws never had these other schemes
allowed, even from the very beginning
<https://cabforum.org/wp-content/uploads/CA-Browser-Forum-Bylaws-v.-1.0-Ballot-98.pdf>.
I'm afraid I don't have anything new to add for this issue and will
happily let others state their opinion, especially members who were
engaged from the beginning and can probably better explanation why there
were different audit criteria in the guidelines and different for CA/B
Forum participation.
Dimitris.
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
