Re: [cabfpub] Bylaws: Update Membership Criteria (section 2.1)
On 24/1/2019 8:16 μ.μ., Wayne Thayer via Public wrote: On today's call we discussed a number of changes to the bylaws aimed at clarifying the rules for membership. The proposal for section 2.1(a)(1) resulting from today's discussion is: Certificate Issuer: The member organization operates a certification authority that has a publicly-available audit report or attestation statement that meets the following requirements: * Is based on the full, current version of the WebTrust for CAs, ETSI EN 319 411-1 , or ETSI EN 319 411-2 audit criteria * Covers a period of at least 60 days * Covers a period that ends within the past 15 months * Was prepared by a properly-Qualified Auditor In addition, the member organization is a member of a CWG, and actively issues certificates to end entities, such certificates being treated as valid by a Certificate Consumer Member. Applicants that are not actively issuing certificates but otherwise meet membership criteria may be granted Associate Member status under Bylaw Sec. 3.1 for a period of time to be designated by the Forum. Similar changes would be made to 2.1(a)(2) for Root Certificate Issuers. The question of requiring period-of-time audits was left unresolved on today's call. I have included the requirement here because the results of a straw poll conducted earlier this year [1] indicated strong support for such a requirement. Comments? We can explicitly say that Certificate Issuers can be accepted with a WebTrust for CAs Point-in-time public audit report but will remain in the Associate Member status until they provide a Period-of-time public audit report. One additional question on this section that we didn't get to on the call is the vague requirement for "actively" issuing certificates. Should we remove the word "actively" and change the final sentence to allow Associate member status for organizations with a point-in-time audit? I think we should remove the word "actively". Even a certificate issued to a domain controlled by the Certificate Issuer that chains to a Certificate Consumer Member's software should be sufficient. Dimitris. Thanks, Wayne [1] https://cabforum.org/pipermail/public/2018-April/013259.html ___ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public ___ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public
[cabfpub] Creating Ballot Redlines in GitHub
I've published a step-by-step guide to creating redlines for ballots on GitHub. You can find it on the wiki under 'Ballots'. If you try this and get stuck, I'm happy to help. Thanks to everyone who helped by reviewing the doc. Wayne ___ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public
[cabfpub] Draft SMIME Working Group Charter
Here is a draft SMIME WG Charter. Please provide your comments. https://docs.google.com/document/d/1vEswtzzMm0_G0ujoAT5ChiajyqfRfDTydG9Nmsc-eo4/edit?usp=sharing Thanks, Ben Wilson ___ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public
[cabfpub] cabfpub] Bylaws: Add Forum Subcommittees
Wayne – as I said on the call, I think the restriction should be narrower. Something like “In order to avoid coming within the scope of the IPR Agreement , the Forum and its Subcommittees shall not engage in the development or amendment of Guidelines.” The draft language you have below is almost impossible to apply – “any activity that could result in a claim infringement of a Member's Intellectual Property”. If we discuss a draft Charter at the Forum level for creation of a new Anti-Gravity Certificate Working Group and we want to fine-tune the WG’s scope, we will certainly be discussing technical issues. How can we possibly know whether or not our discussion “could result in a claim infringement of a Member's Intellectual Property”? I have no idea what Intellectual Property the other Members have. As another example, the Infrastructure WG may forward a proposal to the Forum for how we do our wiki, emails, etc., and ask for comments. I’m sure that several Members have IP relating to wikis, servers, email systems, etc. If we discuss the WG proposal at the Forum level, would that be an “activity that could result in a claim infringement of a Member's Intellectual Property”? No, because the Forum will not be drafting Guidelines, and is not a WG. We need to keep focused on the language of the IPRA and what it covers – which is only development of Guidelines at the WG level. So long as the Forum (and its subcommittees) stays away from that, we should be good. From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Wayne Thayer via Public Sent: Thursday, January 24, 2019 9:38 AM To: CA/Browser Forum Public Discussion List Subject: [EXTERNAL][cabfpub] Bylaws: Add Forum Subcommittees On today's call, we discussed the addition of the following section to the Bylaws: 5.6Subcommittees The Forum may establish subcommittees of the Forum by ballot to address any of the Forum’s business as specified in the ballot. Subcommittees are open to all Forum Members. A Forum Subcommittee may work on and recommend Forum ballots, complete delegated Forum functions, or issue reports to the Forum that are within the subcommittee’s jurisdiction. Subcommittees must post all agendas and minutes on a public mail list. Ryan proposed the addition of explicit language regarding IPR. Something like: Subcommittees of the Forum shall not engage in any activity that could result in a claim infringement of a Member's Intellectual Property. Such activities include the discussion or creation of Guidelines or similar standards-setting documents. Comments? Thanks, Wayne ___ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public
Re: [cabfpub] Bylaws: Update Membership Criteria (section 2.1)
In the past, what we used to check for “actively” issuing certs were some examples of recently issued certs from their roots that have public trust. This was in addition to the audit reqt. From: Public On Behalf Of Wayne Thayer via Public Sent: Thursday, January 24, 2019 1:16 PM To: CA/Browser Forum Public Discussion List Subject: [cabfpub] Bylaws: Update Membership Criteria (section 2.1) On today's call we discussed a number of changes to the bylaws aimed at clarifying the rules for membership. The proposal for section 2.1(a)(1) resulting from today's discussion is: Certificate Issuer: The member organization operates a certification authority that has a publicly-available audit report or attestation statement that meets the following requirements: * Is based on the full, current version of the WebTrust for CAs, ETSI EN 319 411-1 , or ETSI EN 319 411-2 audit criteria * Covers a period of at least 60 days * Covers a period that ends within the past 15 months * Was prepared by a properly-Qualified Auditor In addition, the member organization is a member of a CWG, and actively issues certificates to end entities, such certificates being treated as valid by a Certificate Consumer Member. Applicants that are not actively issuing certificates but otherwise meet membership criteria may be granted Associate Member status under Bylaw Sec. 3.1 for a period of time to be designated by the Forum. Similar changes would be made to 2.1(a)(2) for Root Certificate Issuers. The question of requiring period-of-time audits was left unresolved on today's call. I have included the requirement here because the results of a straw poll conducted earlier this year [1] indicated strong support for such a requirement. Comments? One additional question on this section that we didn't get to on the call is the vague requirement for "actively" issuing certificates. Should we remove the word "actively" and change the final sentence to allow Associate member status for organizations with a point-in-time audit? Thanks, Wayne [1] https://cabforum.org/pipermail/public/2018-April/013259.html smime.p7s Description: S/MIME cryptographic signature ___ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public
[cabfpub] Bylaws: Update Membership Criteria (section 2.1)
On today's call we discussed a number of changes to the bylaws aimed at clarifying the rules for membership. The proposal for section 2.1(a)(1) resulting from today's discussion is: Certificate Issuer: The member organization operates a certification > authority that has a publicly-available audit report or attestation > statement that meets the following requirements: > * Is based on the full, current version of the WebTrust for CAs, ETSI EN > 319 411-1 , or ETSI EN 319 411-2 audit criteria > * Covers a period of at least 60 days > * Covers a period that ends within the past 15 months > * Was prepared by a properly-Qualified Auditor > > In addition, the member organization is a member of a CWG, and actively > issues certificates to end entities, such certificates being treated as > valid by a Certificate Consumer Member. Applicants that are not actively > issuing certificates but otherwise meet membership criteria may be granted > Associate Member status under Bylaw Sec. 3.1 for a period of time to be > designated by the Forum. > Similar changes would be made to 2.1(a)(2) for Root Certificate Issuers. The question of requiring period-of-time audits was left unresolved on today's call. I have included the requirement here because the results of a straw poll conducted earlier this year [1] indicated strong support for such a requirement. Comments? One additional question on this section that we didn't get to on the call is the vague requirement for "actively" issuing certificates. Should we remove the word "actively" and change the final sentence to allow Associate member status for organizations with a point-in-time audit? Thanks, Wayne [1] https://cabforum.org/pipermail/public/2018-April/013259.html ___ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public
[cabfpub] Bylaws: Add Forum Subcommittees
On today's call, we discussed the addition of the following section to the Bylaws: 5.6Subcommittees > The Forum may establish subcommittees of the Forum by ballot to address > any of the Forum’s business as specified in the ballot. Subcommittees are > open to all Forum Members. A Forum Subcommittee may work on and recommend > Forum ballots, complete delegated Forum functions, or issue reports to the > Forum that are within the subcommittee’s jurisdiction. Subcommittees must > post all agendas and minutes on a public mail list. > Ryan proposed the addition of explicit language regarding IPR. Something like: Subcommittees of the Forum shall not engage in any activity that could result in a claim infringement of a Member's Intellectual Property. Such activities include the discussion or creation of Guidelines or similar standards-setting documents. Comments? Thanks, Wayne ___ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public