Thanks for checking, Tim. The changes y'all approved are integrated, and so I think https://github.com/cabforum/documents/pull/167 reflects all feedback to date.
On Fri, Apr 24, 2020 at 4:43 PM Tim Hollebeek <tim.holleb...@digicert.com> wrote: > Ryan: Any other issues, or shall we get a ballot out for discussion? > > > > (of course, discussion can continue during the ballot discussion period as > well) > > > > -Tim > > > > *From:* Public <public-boun...@cabforum.org> *On Behalf Of *Tim Hollebeek > via Public > *Sent:* Wednesday, April 22, 2020 4:24 PM > *To:* Ryan Sleevi <sle...@google.com> > *Cc:* CABforum1 <public@cabforum.org> > *Subject:* Re: [cabfpub] Update about S/MIME Charter > > > > I’m fine with this. Looks like Clint and Wayne are too (just repeating > this here for those who don’t follow the link). > > > > -Tim > > > > *From:* Ryan Sleevi <sle...@google.com> > *Sent:* Wednesday, April 22, 2020 3:42 PM > *To:* Tim Hollebeek <tim.holleb...@digicert.com> > *Cc:* CABforum1 <public@cabforum.org> > *Subject:* Re: [cabfpub] Update about S/MIME Charter > > > > https://github.com/sleevi/cabforum-docs/pull/17 so that you can comment > and make additional modifications/edits. > > > > In prepping this, I also spotted an issue with the CABF Bylaws that I'll > feed back to Dimitris' ballot > > > > On Wed, Apr 22, 2020 at 3:27 PM Tim Hollebeek <tim.holleb...@digicert.com> > wrote: > > I think some people might have objections to “includes, but not limited > to…” language, but I don’t. I think it’s sometimes helpful when drafting > intentionally broad criteria like this to make it explicitly clear that > common cases like “WebTrust for CAs” or “ETSI …” is indeed “relevant to the > issuance of S/MIME certificates”. That could really cut down on the amount > of confusion about who does or does not qualify for membership, and give > members clarity when voting for the charter about who is and isn’t allowed > to participate, while also potentially allowing participation by others > with less common audit schemes. > > > > That’s just a more verbose than usual way of me saying that yes, I would > appreciate draft text along the lines you suggest. > > > > -Tim > > > > *From:* Ryan Sleevi <sle...@google.com> > *Sent:* Wednesday, April 22, 2020 3:15 PM > *To:* Tim Hollebeek <tim.holleb...@digicert.com> > *Cc:* CABforum1 <public@cabforum.org> > *Subject:* Re: [cabfpub] Update about S/MIME Charter > > > > See my earliest comments on the first draft about this - > https://cabforum.org/pipermail/public/2019-January/014517.html shows the > suggested edit and points to > https://cabforum.org/pipermail/public/2019-January/014521.html > > > > Finally, regarding membership criteria, I'm curious whether it's necessary > to consider WebTrust for CAs / ETSI at all. For work like this, would it > make sense to merely specify the requirements for a CA as one that is > trusted for and actively issues S/MIME certificates that are accepted by a > Certificate Consumer. This seems to be widely inclusive and can be iterated > upon if/when improved criteria are developed, if appropriate. > There's also a bootstrapping issue for membership, in that until we know > who the accepted Certificate Consumers are, no CA can join as a Certificate > Issuer. I'm curious whether it makes sense to explicitly bootstrap this in > the charter or how we'd like to tackle this. > > > > In the current incarnation, it's to simply remove the scheme requirement, > as follows: > > > > A Certificate Issuer eligible for voting membership in the SMCWG MUST have > a publicly-available audit report or attestation statement in accordance > with a publicly-available audit or assessment scheme relevant to the > issuance of S/MIME certificates. This includes, but is not limited to, ...: > > > > Happy to propose draft text to this effect, if this is something that > you're open to addressing. > > > > On Wed, Apr 22, 2020 at 3:03 PM Tim Hollebeek <tim.holleb...@digicert.com> > wrote: > > Unintentional, and thanks for calling it out. I don’t have strong > feelings on the issue and agree broader participation is a useful goal, > especially before requirements exist. Certificate Consumers can, and I > expect will, have their own opinions on what audits are appropriate and > necessary once they adopt the requirements. Do you have a proposed fix? > > > > -Tim > > > > *From:* Ryan Sleevi <sle...@google.com> > *Sent:* Sunday, April 19, 2020 4:41 PM > *To:* Tim Hollebeek <tim.holleb...@digicert.com>; CABforum1 < > public@cabforum.org> > *Subject:* Re: [cabfpub] Update about S/MIME Charter > > > > Looking through the resolved and unresolved aspects, the lack of feedback > from you meant we still have one unaddressed matter in the draft: > > > > https://github.com/cabforum/documents/pull/167/files#r392389077 > > - The proposed draft charter forbids any CA from participating unless they > already have particular audit schemes, despite this document not yet > existing nor being incorporated into audit frameworks. This has been > repeatedly raised as an issue for the past year, and it would be useful to > know whether or not this is intentionally not being addressed. It does seem > that there doesn't need to be restrictions on CA membership until such a > document is produced (see also > https://cabforum.org/pipermail/public/2020-March/014917.html ) > > > > > >
_______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public