Thank you for reminding us these past discussions, they are indeed very
helpful.
One observation is that these were discussions about Forum membership
requirements when the Forum was considering other types of digital
certificates and not just SSL/TLS, before the new governance established
by ballot 206. The server certificate working group is currently focused
on SSL/TLS Certificates and candidate members with experience in SSL/TLS
certificates can prove that with a BR-compliant audit report (not
necessarily a "successful" or "clean" audit). I believe there is
consensus for not requiring a clean audit.
I am still uncertain about other Members' opinion. If the Server
Certificate Working Group wants more relaxed criteria for Membership
(like they are today), I would appreciate members to indicate their
preference.
In any case, since this seems to be a controversial matter, I will
create a new thread in the Server Certificate Working Group public list
and remove the additional requirements for WebTrust. I hope you are ok
with the additional criteria for the third option (equivalent audits
like Government CAs). If not, I can remove that option also.
Thanks,
Dimitris.
On 8/2/2019 8:50 μ.μ., Ryan Sleevi wrote:
Here's some references for some of the past discussions:
You can search for the discussion around Ballot 149, in which Kirk had
proposed changes similar to what you're doing now. There's quite a bit
of discussion on that from various bits, but I suspect
https://cabforum.org/pipermail/public/2015-May/005620.html probably
captures it. This was a continuation of a discussion from earlier -
see https://cabforum.org/pipermail/public/2015-March/005375.html -
which itself was a continuation of the discussion from Cupertino in
Meeting 34 -
https://cabforum.org/2015/03/11/2015-03-11-minutes-of-cupertino-f2f-meeting-34/
If there's concerns that we haven't captured those objections enough,
I'm sure we can make sure minutes going forward capture controversial
topics more thoroughly.
My search focused on discussions on our public list; searching our
governance reform list is a bit trickier, but this was something we
similarly discussed when revising the Bylaws to our current form, and
the same concerns and objections were shared in the discussion of the
draft SCWG charter. Let me know if the above isn't sufficient.
We know that there will be direct harm - by promoting more exclusion -
by requiring the SSL BRs w/ Net Sec. While it's true that ETSI has
incorporated them directly, were ETSI to provide a similar broad
profile, I suspect there would be support for *reducing* the current
ETSI requirements. Given how ETSI functions, I suspect that 'reducing'
is accomplished by adding yet another criteria, since unlike WebTrust,
you don't mix and match the same, but the end result would be to
increase opportunities for participation.
There's very little benefit to increasing membership requirements. The
main benefits seem to be logistical, rather than practical -
increasing requirements can exclude more members and thus make it
cheaper or easier to host or organize meetings. However, given the
harm that can be caused by that, it does not seem useful - members who
are affected by the requirements cannot contribute effectively to them.
Consider, for example, if the only way to contribute to the EVGLs was
to have an EVGL audit. Imagine how difficult it would be to correct
any criteria that prevented a CA from getting an EVGL audit, such as
the discussion we saw related to E&O insurance/liability limits, as
raised by our Asian CA members. Today, they could propose suggestions
by virtue of the open membership; in a world where only entities with
the audits could participate in the discussions, there would be no way
to resolve that or push for change, short of hoping someone 'takes
pity' and does it themselves.
From our perspective; the Forum's strength is not its production of
Guidelines themselves, but in providing a venue to gather feedback
about proposed changes in a way that does not create conflicting
requirements between Root Stores. The Guidelines do not and have never
represented 'best' practice - just a common baseline. As we've shifted
to a WG model, that same logic extends to WGs - the greatest value in
the Forum is through having diverse views represented and gathering
feedback about potentially conflicting requirements, to try and find
solutions for those conflicts. From our early involvement in the first
governance reform - that lead to the creation of the public lists - to
our effort to provide opportunity to gather and share public feedback
via the questions@ list, we've valued increased participation and
transparency. The Validation Summit effort in Herndon was, in many
ways, a high point in the Forum's opportunity for participation. We
should be pushing for greater involvement - as we've seen through the
participation of Cisco, for example - than adding barriers that would
limit it.
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
