Re: [cabfpub] Bylaws: Update Membership Criteria (section 2.1)
On 28/1/2019 8:48 μ.μ., Ryan Sleevi via Public wrote: On Thu, Jan 24, 2019 at 2:30 PM Dimitris Zacharopoulos (HARICA) via Public mailto:public@cabforum.org>> wrote: On 24/1/2019 8:16 μ.μ., Wayne Thayer via Public wrote: On today's call we discussed a number of changes to the bylaws aimed at clarifying the rules for membership. The proposal for section 2.1(a)(1) resulting from today's discussion is: Certificate Issuer: The member organization operates a certification authority that has a publicly-available audit report or attestation statement that meets the following requirements: * Is based on the full, current version of the WebTrust for CAs, ETSI EN 319 411-1 , or ETSI EN 319 411-2 audit criteria Using the example reports for discussion ( http://www.webtrust.org/practitioner-qualifications/docs/item85808.pdf ) If a CA does not escrow CA keys, does not provide subscriber key generation services, or suspension services, does that count as being based on the "full, current version"? (Page 11, paragraph 2) I think so, yes. Based on the exact CA operations, the exact audit scope is determined. The Forum has set the WebTrust for CAs and ETSI EN 319 411-1 as an absolute minimum that includes attestation of the existence of reasonable organizational and technical controls. If you recall, I had proposed that for the SCWG we should also require WebTrust for CAs Baseline and NetSec because they are already included in ETSI EN 319 411-1 and are more suitable for SSL/TLS Certificates. If a CA obtains a WebTrust for CAs or ETSI EN 319 411-1 audit report, it means that the core CA services are there and are operational. Root programs have audit requirements exceptions and this applies equally to Microsoft and Mozilla. I don't disagree to being more inclusive but I believe the Forum must have objective and specific requirements based on some international standards and not just government regulations. * Covers a period of at least 60 days I'm curious for feedback from the ETSI folks, but perhaps a more inclusive definition would be - "Reports on the operational effectiveness of controls for a historic period of at least 60 days" The context being that ETSI is a certification scheme, but as part of that certification, the CAB "may" ("should") examine the historic evidence for some period of time. 7.9 of 319 403 only requires "since the previous audit" I am not representing ETSI or ACAB'c but if there are concerns with this requirement we can solve this issue using the language proposed by Wayne "Covers a period of at least 60 days". I would use "Covers a period of operations of at least 60 days". * Covers a period that ends within the past 15 months This may also be resting on the BR definition of Audit Period. I can see similar ambiguities arising with respect to ETSI and that its certification decisions last two years, not one, thus it might cause a CA to believe that they have up to three years from first completing their audit (that is, if the letter is issued at T=2 years, covering T=0 to T=2, and is valid to T=4 years, then the CA may believe it's covered until T=5 years and 3 months) There's also the potential of surveillance audits conducted over specific issues being resolved, without being a full recertification (e.g. if the CAB classified it as a minor non-conformity) "With no more than 27 months having elapsed since the beginning of the reported-on period and no more than 15 months since the end of the reported-on period" It's a mouthful, but perhaps there's a more concise way to capture that unambiguously. AFAIK, Microsoft still requires annual full audits even for non-SSL certificate issuance. In any case, I prefer a mouthful than an ambiguous requirement. Dimitris. ___ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public ___ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public
Re: [cabfpub] Draft SMIME Working Group Charter
On Mon, Jan 28, 2019 at 3:28 PM Tim Hollebeek wrote: > Because diverse and sometimes even contradictory root program requirements > are not a good thing. It seems like we should be able to reach agreement > on what the minimum criteria should be, just as we have for TLS. > I'm not sure which part you're replying to, but the diversity of audit requirements is already something we already have with TLS, and I don't see any signs of that changing. Perhaps you can help me understand how a normative membership requirement on audits furthers that goal. > > > -Tim > > > > *From:* Ryan Sleevi > *Sent:* Monday, January 28, 2019 3:14 PM > *To:* Tim Hollebeek > *Cc:* Wayne Thayer ; CA/Browser Forum Public > Discussion List > *Subject:* Re: [cabfpub] Draft SMIME Working Group Charter > > > > > > > > On Mon, Jan 28, 2019 at 2:44 PM Tim Hollebeek > wrote: > > I’m fine with “or equivalent” exceptions for various use cases, as long as > we specify what those are and they accomplish the same goals. I do have > strong opinions about how “*.gov” should be managed, specifically that I > don’t think it’s possible to assure that the domain portion of the email is > being consistently validated, absent some oversight by some independent > entity. > > > > I suppose this will be a core part of the discussion, then. I will, > however, note that ICANN has adopted a very different philosophy than you > with respect to domain names, and similarly, Microsoft has recognized the > distinction with how they manage their program. This also aligns with a > variety of other technology and non-technology sectors, and is, perhaps, a > core part of disagreement. > > > > Could you help me understand why, for purposes of CA/B Forum membership, > you believe they should be overseen by someone that the CA/B Forum > designates, rather than by an entity that a root program designates? > Perhaps I'm missing why it's important to exclude these parties from the > Forum, as that might help clarify the language. > ___ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public
Re: [cabfpub] Draft SMIME Working Group Charter
Because diverse and sometimes even contradictory root program requirements are not a good thing. It seems like we should be able to reach agreement on what the minimum criteria should be, just as we have for TLS. -Tim From: Ryan Sleevi Sent: Monday, January 28, 2019 3:14 PM To: Tim Hollebeek Cc: Wayne Thayer ; CA/Browser Forum Public Discussion List Subject: Re: [cabfpub] Draft SMIME Working Group Charter On Mon, Jan 28, 2019 at 2:44 PM Tim Hollebeek mailto:tim.holleb...@digicert.com> > wrote: I’m fine with “or equivalent” exceptions for various use cases, as long as we specify what those are and they accomplish the same goals. I do have strong opinions about how “*.gov” should be managed, specifically that I don’t think it’s possible to assure that the domain portion of the email is being consistently validated, absent some oversight by some independent entity. I suppose this will be a core part of the discussion, then. I will, however, note that ICANN has adopted a very different philosophy than you with respect to domain names, and similarly, Microsoft has recognized the distinction with how they manage their program. This also aligns with a variety of other technology and non-technology sectors, and is, perhaps, a core part of disagreement. Could you help me understand why, for purposes of CA/B Forum membership, you believe they should be overseen by someone that the CA/B Forum designates, rather than by an entity that a root program designates? Perhaps I'm missing why it's important to exclude these parties from the Forum, as that might help clarify the language. smime.p7s Description: S/MIME cryptographic signature ___ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public
Re: [cabfpub] Draft SMIME Working Group Charter
On Mon, Jan 28, 2019 at 2:44 PM Tim Hollebeek wrote: > I’m fine with “or equivalent” exceptions for various use cases, as long as > we specify what those are and they accomplish the same goals. I do have > strong opinions about how “*.gov” should be managed, specifically that I > don’t think it’s possible to assure that the domain portion of the email is > being consistently validated, absent some oversight by some independent > entity. > I suppose this will be a core part of the discussion, then. I will, however, note that ICANN has adopted a very different philosophy than you with respect to domain names, and similarly, Microsoft has recognized the distinction with how they manage their program. This also aligns with a variety of other technology and non-technology sectors, and is, perhaps, a core part of disagreement. Could you help me understand why, for purposes of CA/B Forum membership, you believe they should be overseen by someone that the CA/B Forum designates, rather than by an entity that a root program designates? Perhaps I'm missing why it's important to exclude these parties from the Forum, as that might help clarify the language. ___ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public
Re: [cabfpub] Draft SMIME Working Group Charter
I’m fine with “or equivalent” exceptions for various use cases, as long as we specify what those are and they accomplish the same goals. I do have strong opinions about how “*.gov” should be managed, specifically that I don’t think it’s possible to assure that the domain portion of the email is being consistently validated, absent some oversight by some independent entity. For government entities, that may be some regulatory body and/or internal review process instead of a traditional WebTrust/ETSI audit, but we should at least make sure that someone is responsible for making sure appropriate controls are in place. -Tim From: Ryan Sleevi Sent: Monday, January 28, 2019 2:22 PM To: Tim Hollebeek Cc: Wayne Thayer ; CA/Browser Forum Public Discussion List Subject: Re: [cabfpub] Draft SMIME Working Group Charter On Mon, Jan 28, 2019 at 2:17 PM Tim Hollebeek mailto:tim.holleb...@digicert.com> > wrote: The intent was that Forum level membership was the union of all CWG membership criteria. If you’re able to join a CWG, you’re a Forum member. I think allowing in unaudited Certificate Issuers would be a huge step backwards. Note that the proposal was not "unaudited" - merely, that the definition of audit be left to "Certificate Consumer", which participation with is already a required property. For example, some Consumers allow audits by government entities, but then constrain issuance using application-specific means (since, after all, this is a trust anchor). Others allow for equivalent audit schemes at their discretion. Thus, it also runs the risk of being a "step backward" to have members who are bound by various rules (such as an S/MIME Guideline) but that are prevented by the Forum from joining unless they change their business, governance, or auditability model. An example of this concretely is the Federal PKI operated in the US. While for SSL/TLS cases, I may be more inclined to agree, S/MIME represents a particular area where given the nature of the 'localpart' of email addresses (fully in control of the organization), delegated CAs and trust relationships are far more common. For example, I don't have strong opinions on how "*.gov" should be managed, with respect to S/MIME, provided that the domain portion of the email is consistently validated. smime.p7s Description: S/MIME cryptographic signature ___ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public
Re: [cabfpub] Draft SMIME Working Group Charter
On Mon, Jan 28, 2019 at 2:17 PM Tim Hollebeek wrote: > The intent was that Forum level membership was the union of all CWG > membership criteria. If you’re able to join a CWG, you’re a Forum member. > > > > I think allowing in unaudited Certificate Issuers would be a huge step > backwards. > Note that the proposal was not "unaudited" - merely, that the definition of audit be left to "Certificate Consumer", which participation with is already a required property. For example, some Consumers allow audits by government entities, but then constrain issuance using application-specific means (since, after all, this is a trust anchor). Others allow for equivalent audit schemes at their discretion. Thus, it also runs the risk of being a "step backward" to have members who are bound by various rules (such as an S/MIME Guideline) but that are prevented by the Forum from joining unless they change their business, governance, or auditability model. An example of this concretely is the Federal PKI operated in the US. While for SSL/TLS cases, I may be more inclined to agree, S/MIME represents a particular area where given the nature of the 'localpart' of email addresses (fully in control of the organization), delegated CAs and trust relationships are far more common. For example, I don't have strong opinions on how "*.gov" should be managed, with respect to S/MIME, provided that the domain portion of the email is consistently validated. ___ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public
Re: [cabfpub] Draft SMIME Working Group Charter
The intent was that Forum level membership was the union of all CWG membership criteria. If you’re able to join a CWG, you’re a Forum member. I think allowing in unaudited Certificate Issuers would be a huge step backwards. -Tim From: Public On Behalf Of Wayne Thayer via Public Sent: Friday, January 25, 2019 2:06 PM To: Ryan Sleevi Cc: CA/Browser Forum Public Discussion List Subject: Re: [cabfpub] Draft SMIME Working Group Charter On Fri, Jan 25, 2019 at 11:45 AM Ryan Sleevi mailto:sle...@google.com> > wrote: On Fri, Jan 25, 2019 at 1:37 PM Wayne Thayer mailto:wtha...@mozilla.com> > wrote: I agree that we should exclude identity validation from the initial scope of this working group. On Fri, Jan 25, 2019 at 10:04 AM Ryan Sleevi via Public mailto:public@cabforum.org> > wrote: Finally, regarding membership criteria, I'm curious whether it's necessary to consider WebTrust for CAs / ETSI at all. For work like this, would it make sense to merely specify the requirements for a CA as one that is trusted for and actively issues S/MIME certificates that are accepted by a Certificate Consumer. This seems to be widely inclusive and can be iterated upon if/when improved criteria are developed, if appropriate. This would allow a CA that is not eligible for full Forum membership to join this WG as a full member. How would that work? Would we require such an organization to join the Forum as an Interested Party? If the idea is that such an organization wouldn't be required to join the Forum, then I don't believe that was anticipated or intended in the design of the current structure. It's not clear to me that we should permit membership in a CWG without Forum membership. For instance, allowing this may create loopholes in the IPR obligations that are defined and administered at the Forum level. Ah, drat, thanks for pointing that out, Wayne. You're right that the changes would need to be accompanied by changes the Forum-level bylaws membership, whether to be more explicit (e.g. government issuers w/ their own audit frameworks, as an example, such as the FPKI) or more implicitly inclusive as this proposed. Absent a Bylaw change, it sounds like the most such folks could achieve would be Interested Party in the CWG. Does that match your understanding? I'm not aware of anything that requires membership in a CWG to be at a level equivalent to that of the Forum, but I do think that is the intent of the bylaws. There may be no harm in having an Interested Party at the Forum level be a full member of a CWG, but I think it would be best for that to be clarified in the bylaws before creating a CWG with looser membership criteria than the Forum. smime.p7s Description: S/MIME cryptographic signature ___ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public
Re: [cabfpub] Bylaws: Update Membership Criteria (section 2.1)
On Thu, Jan 24, 2019 at 2:30 PM Dimitris Zacharopoulos (HARICA) via Public < public@cabforum.org> wrote: > > > On 24/1/2019 8:16 μ.μ., Wayne Thayer via Public wrote: > > On today's call we discussed a number of changes to the bylaws aimed at > clarifying the rules for membership. The proposal for section 2.1(a)(1) > resulting from today's discussion is: > > Certificate Issuer: The member organization operates a certification >> authority that has a publicly-available audit report or attestation >> statement that meets the following requirements: >> * Is based on the full, current version of the WebTrust for CAs, ETSI EN >> 319 411-1 , or ETSI EN 319 411-2 audit criteria >> > Using the example reports for discussion ( http://www.webtrust.org/practitioner-qualifications/docs/item85808.pdf ) If a CA does not escrow CA keys, does not provide subscriber key generation services, or suspension services, does that count as being based on the "full, current version"? (Page 11, paragraph 2) > * Covers a period of at least 60 days >> > I'm curious for feedback from the ETSI folks, but perhaps a more inclusive definition would be - "Reports on the operational effectiveness of controls for a historic period of at least 60 days" The context being that ETSI is a certification scheme, but as part of that certification, the CAB "may" ("should") examine the historic evidence for some period of time. 7.9 of 319 403 only requires "since the previous audit" > * Covers a period that ends within the past 15 months >> > This may also be resting on the BR definition of Audit Period. I can see similar ambiguities arising with respect to ETSI and that its certification decisions last two years, not one, thus it might cause a CA to believe that they have up to three years from first completing their audit (that is, if the letter is issued at T=2 years, covering T=0 to T=2, and is valid to T=4 years, then the CA may believe it's covered until T=5 years and 3 months) There's also the potential of surveillance audits conducted over specific issues being resolved, without being a full recertification (e.g. if the CAB classified it as a minor non-conformity) "With no more than 27 months having elapsed since the beginning of the reported-on period and no more than 15 months since the end of the reported-on period" It's a mouthful, but perhaps there's a more concise way to capture that unambiguously. ___ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public