See my earliest comments on the first draft about this - https://cabforum.org/pipermail/public/2019-January/014517.html shows the suggested edit and points to https://cabforum.org/pipermail/public/2019-January/014521.html
Finally, regarding membership criteria, I'm curious whether it's necessary > to consider WebTrust for CAs / ETSI at all. For work like this, would it > make sense to merely specify the requirements for a CA as one that is > trusted for and actively issues S/MIME certificates that are accepted by a > Certificate Consumer. This seems to be widely inclusive and can be iterated > upon if/when improved criteria are developed, if appropriate. > There's also a bootstrapping issue for membership, in that until we know > who the accepted Certificate Consumers are, no CA can join as a Certificate > Issuer. I'm curious whether it makes sense to explicitly bootstrap this in > the charter or how we'd like to tackle this. In the current incarnation, it's to simply remove the scheme requirement, as follows: A Certificate Issuer eligible for voting membership in the SMCWG MUST have a publicly-available audit report or attestation statement in accordance with a publicly-available audit or assessment scheme relevant to the issuance of S/MIME certificates. This includes, but is not limited to, ...: Happy to propose draft text to this effect, if this is something that you're open to addressing. On Wed, Apr 22, 2020 at 3:03 PM Tim Hollebeek <tim.holleb...@digicert.com> wrote: > Unintentional, and thanks for calling it out. I don’t have strong > feelings on the issue and agree broader participation is a useful goal, > especially before requirements exist. Certificate Consumers can, and I > expect will, have their own opinions on what audits are appropriate and > necessary once they adopt the requirements. Do you have a proposed fix? > > > > -Tim > > > > *From:* Ryan Sleevi <sle...@google.com> > *Sent:* Sunday, April 19, 2020 4:41 PM > *To:* Tim Hollebeek <tim.holleb...@digicert.com>; CABforum1 < > public@cabforum.org> > *Subject:* Re: [cabfpub] Update about S/MIME Charter > > > > Looking through the resolved and unresolved aspects, the lack of feedback > from you meant we still have one unaddressed matter in the draft: > > > > https://github.com/cabforum/documents/pull/167/files#r392389077 > > - The proposed draft charter forbids any CA from participating unless they > already have particular audit schemes, despite this document not yet > existing nor being incorporated into audit frameworks. This has been > repeatedly raised as an issue for the past year, and it would be useful to > know whether or not this is intentionally not being addressed. It does seem > that there doesn't need to be restrictions on CA membership until such a > document is produced (see also > https://cabforum.org/pipermail/public/2020-March/014917.html ) > > > > >
_______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public