Re: [cabfpub] Update about S/MIME Charter

[Tim Hollebeek via Public]

I’m fine with this.  Looks like Clint and Wayne are too (just repeating this 
here for those who don’t follow the link).

 

-Tim

 

From: Ryan Sleevi <sle...@google.com> 
Sent: Wednesday, April 22, 2020 3:42 PM
To: Tim Hollebeek <tim.holleb...@digicert.com>
Cc: CABforum1 <public@cabforum.org>
Subject: Re: [cabfpub] Update about S/MIME Charter

 

https://github.com/sleevi/cabforum-docs/pull/17 so that you can comment and 
make additional modifications/edits.

 

In prepping this, I also spotted an issue with the CABF Bylaws that I'll feed 
back to Dimitris' ballot

 

On Wed, Apr 22, 2020 at 3:27 PM Tim Hollebeek <tim.holleb...@digicert.com 
<mailto:tim.holleb...@digicert.com> > wrote:

I think some people might have objections to “includes, but not limited to…” 
language, but I don’t.  I think it’s sometimes helpful when drafting 
intentionally broad criteria like this to make it explicitly clear that common 
cases like “WebTrust for CAs” or “ETSI …” is indeed “relevant to the issuance 
of S/MIME certificates”.  That could really cut down on the amount of confusion 
about who does or does not qualify for membership, and give members clarity 
when voting for the charter about who is and isn’t allowed to participate, 
while also potentially allowing participation by others with less common audit 
schemes.

 

That’s just a more verbose than usual way of me saying that yes, I would 
appreciate draft text along the lines you suggest.

 

-Tim

 

From: Ryan Sleevi <sle...@google.com <mailto:sle...@google.com> > 
Sent: Wednesday, April 22, 2020 3:15 PM
To: Tim Hollebeek <tim.holleb...@digicert.com 
<mailto:tim.holleb...@digicert.com> >
Cc: CABforum1 <public@cabforum.org <mailto:public@cabforum.org> >
Subject: Re: [cabfpub] Update about S/MIME Charter

 

See my earliest comments on the first draft about this - 
https://cabforum.org/pipermail/public/2019-January/014517.html shows the 
suggested edit and points to 
https://cabforum.org/pipermail/public/2019-January/014521.html

 

Finally, regarding membership criteria, I'm curious whether it's necessary
to consider WebTrust for CAs / ETSI at all. For work like this, would it
make sense to merely specify the requirements for a CA as one that is
trusted for and actively issues S/MIME certificates that are accepted by a
Certificate Consumer. This seems to be widely inclusive and can be iterated
upon if/when improved criteria are developed, if appropriate.
There's also a bootstrapping issue for membership, in that until we know
who the accepted Certificate Consumers are, no CA can join as a Certificate
Issuer. I'm curious whether it makes sense to explicitly bootstrap this in
the charter or how we'd like to tackle this.

 

In the current incarnation, it's to simply remove the scheme requirement, as 
follows:

 

A Certificate Issuer eligible for voting membership in the SMCWG MUST have a 
publicly-available audit report or attestation statement in accordance with a 
publicly-available audit or assessment scheme relevant to the issuance of 
S/MIME certificates. This includes, but is not limited to, ...:

 

Happy to propose draft text to this effect, if this is something that you're 
open to addressing.

 

On Wed, Apr 22, 2020 at 3:03 PM Tim Hollebeek <tim.holleb...@digicert.com 
<mailto:tim.holleb...@digicert.com> > wrote:

Unintentional, and thanks for calling it out.  I don’t have strong feelings on 
the issue and agree broader participation is a useful goal, especially before 
requirements exist.  Certificate Consumers can, and I expect will, have their 
own opinions on what audits are appropriate and necessary once they adopt the 
requirements.  Do you have a proposed fix?

 

-Tim

 

From: Ryan Sleevi <sle...@google.com <mailto:sle...@google.com> > 
Sent: Sunday, April 19, 2020 4:41 PM
To: Tim Hollebeek <tim.holleb...@digicert.com 
<mailto:tim.holleb...@digicert.com> >; CABforum1 <public@cabforum.org 
<mailto:public@cabforum.org> >
Subject: Re: [cabfpub] Update about S/MIME Charter

 

Looking through the resolved and unresolved aspects, the lack of feedback from 
you meant we still have one unaddressed matter in the draft:

 

https://github.com/cabforum/documents/pull/167/files#r392389077

- The proposed draft charter forbids any CA from participating unless they 
already have particular audit schemes, despite this document not yet existing 
nor being incorporated into audit frameworks. This has been repeatedly raised 
as an issue for the past year, and it would be useful to know whether or not 
this is intentionally not being addressed. It does seem that there doesn't need 
to be restrictions on CA membership until such a document is produced (see also 
https://cabforum.org/pipermail/public/2020-March/014917.html )

 

 

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public