Re: [cabfpub] Bylaws: Update Membership Criteria (section 2.1)

2019-01-29 Thread Dimitris Zacharopoulos (HARICA) via Public 



On 29/1/2019 7:18 μ.μ., Ryan Sleevi wrote:


Your response seems to suggest that the bar is "Whatever is enough to 
be trusted by a Certificate Consumer", which is the suggestion I had 
made elsewhere, as it avoids the ambiguity of the Forum interpreting 
and/or setting these guidelines, and instead moves to a very objective 
model that we can use and that can be extended if necessary.


You suggest it's an exception, but I think it bears repeated 
reminding: As the Forum looks to undertake "new" work (in the case of 
S/MIME or Code Signing), where there exist no objective 
industry-accepted audit criteria, and instead a lose assortment, which 
includes, but is not limited to, WebTrust for CAs, then I think our 
definition of membership needs to evolve to reflect that. We cannot 
take on this 'new' work without figuring out how to include those 
either affected by or with value to contribute to the discussions. The 
selection of "Webtrust for CAs" or "ETSI" is merely a codification of 
existing SSL/TLS Certificate Consumer practice, but it's not robust to 
handle that new work.


So, to again put the question back to you: Do you think there's some 
property, beyond "accepted by a Certificate Consumer", that you feel 
is essential for the Forum to capture within its membership requirements?


I think I answered this in my last paragraph.


Then by this goal, I don't believe our current membership
criteria meet this. For example, a qualified auditor is
determined by... government regulations in the case of ETSI. Does
that mean we should exclude ETSI audits from the scope? Or should
we allow CABs that are not accredited by the NABs?


This doesn't make a lot of sense. NABs are not Supervisory Bodies.
It's different. I was referring to government audit schemes for
CAs where a certain government unit audits a CA under national
criteria.


Yet the use of ETSI is still regulated.


Then we have different terminology for "regulation". In my understanding 
and interpretation, a "regulation" is a "law" or "obligation" that is 
mandated by local law in a local jurisdiction. In the EU case, it could 
be a law or obligation mandated by a Regulation voted by the European 
Council. NABs set their own rules based on EA requirements and 
international standards.



I realize it may seem like I'm being difficult, but I think
there's a core piece missing, which is trying to understand why
it's important for some members to exclude some other CAs that
have had long-standing operations. This is particularly relevant
for the discussion of the S/MIME charter, in which there is
significant and extant set of 'trusted' certificates, in a
variety of software, that does not meet the criteria for
participation. They would be excluded from participating in
engaging or drafting the new criteria, by virtue of the Forum
membership criteria, and I think that's something we should be
thinking very carefully about and articulating what properties we
expect of CAs and why.


IMHO we need audit requirements that have undergone enough
scrutiny and quality assurance. International standards like ISO,
WebTrust and ETSI have such a process which provides better
assurance for the audit outcome. That's my personal view. We can
always listen to other schemes and we would welcome input from
governments (as Interested Parties) if they choose to participate.
If these schemes became so useful and comparable with existing
international schemes, then the S/MIME Working Group could decide
to add those schemes in the criteria for Membership and possibly
in the produced Guidelines.


I'm trying to understand the /why/ you take that personal view. I see 
no objective reasoning to support that.


I disagree that for S/MIME there is no set of existing rules. ETSI EN 
319 411-1 (scope LCP, NCP) and AFAIK WebTrust for CAs have been used as 
attestations of adequate level of organizational/technical controls for 
S/MIME, clientAuthentication and Code Signing Certificates.


The main reason I prefer using an international scheme is because it is 
more carefully drafted, usually by experts in that area, and have a good 
and internationally acceptable quality assurance. The auditors 
themselves are assessed by peer reviews (WebTrust) or by NABs (ETSI). 
Local laws and National regulations may not have similar quality level 
but lower. Auditors are usually a government agency. I consider the 
level of audit schemes in the Baseline Requirements to be a good set of 
standards to start with because it sets the bar pretty high from the 
very beginning. In any case, there could be exceptions and there might 
be local laws and regulations that are outstanding and may set the bar 
even higher. We should accept everyone as Interested Parties (we do that 
already) and collaborate to extend our set of audit criteria and audit 
schemes.


Dimitris.

Re: [cabfpub] [EXTERNAL]Re: Draft SMIME Working Group Charter

2019-01-29 Thread Wayne Thayer via Public 
My intention is not to prevent CAs from issuing S/MIME certificates
containing identity information. It's really what Ryan said and Rufus
reiterated.

There is a tremendous amount of work to do and the core of all of it is
cert profiles and email validation practices. I expect that it will take a
few years to get the core work published, and the complexity of identity
validation could easily extend that by a year or more. I am particularly
concerned (could just be my ignorance) about all the government-issued
identity certificates that are valid for S/MIME. Our identity validation
rules will need to support those use cases. Given how long S/MIME standards
have already waited behind governance reform, I prefer a narrower initial
scope that produces guidelines faster.

On Tue, Jan 29, 2019 at 2:18 PM Buschart, Rufus 
wrote:

> Hello!
>
>
>
> I would support the approach of Ryan (if I understood his approach
> correctly): Let’s start with the absolute minimal core and this is the
> validation of the email address and the definition of acceptable practices
> regarding key generation, key distribution and key escrow. I remember some
> discussions from last fall with Wayne about this issue when the new Mozilla
> Root Store Policies were drafted and it turned out that SMIME seems to be
> significantly different to TLS since the business needs are very much
> different. So there will be a lot to do with this issues.
>
>
>
> With best regards,
> Rufus Buschart
>
> Siemens AG
> Information Technology
> Human Resources
> PKI / Trustcenter
> GS IT HR 7 4
> Hugo-Junkers-Str. 9
> 90411 Nuernberg, Germany
> Tel.: +49 1522 2894134
> mailto:rufus.busch...@siemens.com 
> www.twitter.com/siemens
> www.siemens.com/ingenuityforlife 
> [image: www.siemens.com/ingenuityforlife]
> Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim
> Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief
> Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel,
> Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and
> Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300,
> Munich, HRB 6684; WEEE-Reg.-No. DE 23691322
>
> *Von:* Public  *Im Auftrag von *Bruce Morton
> via Public
> *Gesendet:* Dienstag, 29. Januar 2019 21:50
> *An:* Wayne Thayer ; CA/Browser Forum Public
> Discussion List 
> *Betreff:* Re: [cabfpub] [EXTERNAL]Re: Draft SMIME Working Group Charter
>
>
>
> Hi Wayne,
>
>
>
> Can you elaborate on why we should exclude identity validation from the
> initial scope?
>
>
>
> My thinking is that many CAs which are currently issuing S/MIME
> certificates are also including identity. I assume that most use similar
> methods that are defined in the BRs to validate identity. It would seem
> that it should be included in the scope to cover current practice.
>
>
>
> Thanks, Bruce.
>
>
>
> *From:* Public [mailto:public-boun...@cabforum.org
> ] *On Behalf Of *Wayne Thayer via Public
> *Sent:* January 25, 2019 1:37 PM
> *To:* Ryan Sleevi ; CA/Browser Forum Public Discussion
> List 
> *Subject:* [EXTERNAL]Re: [cabfpub] Draft SMIME Working Group Charter
>
>
>
> *WARNING:* This email originated outside of Entrust Datacard.
> *DO NOT CLICK* links or attachments unless you trust the sender and know
> the content is safe.
> --
>
> I agree that we should exclude identity validation from the initial scope
> of this working group.
>
>
>
> On Fri, Jan 25, 2019 at 10:04 AM Ryan Sleevi via Public <
> public@cabforum.org> wrote:
>
>
>
> Finally, regarding membership criteria, I'm curious whether it's necessary
> to consider WebTrust for CAs / ETSI at all. For work like this, would it
> make sense to merely specify the requirements for a CA as one that is
> trusted for and actively issues S/MIME certificates that are accepted by a
> Certificate Consumer. This seems to be widely inclusive and can be iterated
> upon if/when improved criteria are developed, if appropriate.
>
>
>
> This would allow a CA that is not eligible for full Forum membership to
> join this WG as a full member. How would that work? Would we require such
> an organization to join the Forum as an Interested Party? If the idea is
> that such an organization wouldn't be required to join the Forum, then I
> don't believe that was anticipated or intended in the design of the current
> structure. It's not clear to me that we should permit membership in a CWG
> without Forum membership. For instance, allowing this may create loopholes
> in the IPR obligations that are defined and administered at the Forum level.
>
>
>
> There's also a bootstrapping issue for membership, in that until we know
> who the accepted Certificate Consumers are, no CA can join as a Certificate
> Issuer. I'm curious whether it makes sense to explicitly bootstrap this in
> the charter or how we'd like to tackle this.
>
>
>
>
___

Re: [cabfpub] [EXTERNAL]Re: Draft SMIME Working Group Charter

2019-01-29 Thread Bruce Morton via Public 
Hi Wayne,

Can you elaborate on why we should exclude identity validation from the initial 
scope?

My thinking is that many CAs which are currently issuing S/MIME certificates 
are also including identity. I assume that most use similar methods that are 
defined in the BRs to validate identity. It would seem that it should be 
included in the scope to cover current practice.

Thanks, Bruce.

From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Wayne Thayer via 
Public
Sent: January 25, 2019 1:37 PM
To: Ryan Sleevi ; CA/Browser Forum Public Discussion List 

Subject: [EXTERNAL]Re: [cabfpub] Draft SMIME Working Group Charter

WARNING: This email originated outside of Entrust Datacard.
DO NOT CLICK links or attachments unless you trust the sender and know the 
content is safe.

I agree that we should exclude identity validation from the initial scope of 
this working group.

On Fri, Jan 25, 2019 at 10:04 AM Ryan Sleevi via Public 
mailto:public@cabforum.org>> wrote:

Finally, regarding membership criteria, I'm curious whether it's necessary to 
consider WebTrust for CAs / ETSI at all. For work like this, would it make 
sense to merely specify the requirements for a CA as one that is trusted for 
and actively issues S/MIME certificates that are accepted by a Certificate 
Consumer. This seems to be widely inclusive and can be iterated upon if/when 
improved criteria are developed, if appropriate.

This would allow a CA that is not eligible for full Forum membership to join 
this WG as a full member. How would that work? Would we require such an 
organization to join the Forum as an Interested Party? If the idea is that such 
an organization wouldn't be required to join the Forum, then I don't believe 
that was anticipated or intended in the design of the current structure. It's 
not clear to me that we should permit membership in a CWG without Forum 
membership. For instance, allowing this may create loopholes in the IPR 
obligations that are defined and administered at the Forum level.

There's also a bootstrapping issue for membership, in that until we know who 
the accepted Certificate Consumers are, no CA can join as a Certificate Issuer. 
I'm curious whether it makes sense to explicitly bootstrap this in the charter 
or how we'd like to tackle this.

___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Bylaws: Update Membership Criteria (section 2.1)

2019-01-29 Thread Ryan Sleevi via Public 
On Tue, Jan 29, 2019 at 12:11 PM Dimitris Zacharopoulos 
wrote:

>
>
> On 29/1/2019 4:56 μ.μ., Ryan Sleevi wrote:
>
> This isn't theoretical; at least one CA member provides such audits, as
> they use such a third-party datacenter. If the datacenter provided just
> their report, would they qualify? If they don't, then what is the property
> that we're trying to achieve, and why, so that we can do it?
>
>
> Would this WebTrust for CAs audit report be sufficient for acceptance in a
> Root Program? I don't think so.  All these years, CA/B Forum Members have
> been accepted by providing WebTrust for CAs and ETSI reports that include
> core PKI procedures. What you describe is probably an exception and we can
> decide how to handle this exception if in fact we ever receive an
> application for participation in a WG with a WebTrust for CAs audit report
> scoping just the physical security of a Datacenter. I'm hope that CA had
> other WebTrust for CAs reports for their other operations.
>

Unfortunately, this doesn't really answer the question posed, and doesn't
move us closer to understanding.

Your response seems to suggest that the bar is "Whatever is enough to be
trusted by a Certificate Consumer", which is the suggestion I had made
elsewhere, as it avoids the ambiguity of the Forum interpreting and/or
setting these guidelines, and instead moves to a very objective model that
we can use and that can be extended if necessary.

You suggest it's an exception, but I think it bears repeated reminding: As
the Forum looks to undertake "new" work (in the case of S/MIME or Code
Signing), where there exist no objective industry-accepted audit criteria,
and instead a lose assortment, which includes, but is not limited to,
WebTrust for CAs, then I think our definition of membership needs to evolve
to reflect that. We cannot take on this 'new' work without figuring out how
to include those either affected by or with value to contribute to the
discussions. The selection of "Webtrust for CAs" or "ETSI" is merely a
codification of existing SSL/TLS Certificate Consumer practice, but it's
not robust to handle that new work.

So, to again put the question back to you: Do you think there's some
property, beyond "accepted by a Certificate Consumer", that you feel is
essential for the Forum to capture within its membership requirements?


> Then by this goal, I don't believe our current membership criteria meet
> this. For example, a qualified auditor is determined by... government
> regulations in the case of ETSI. Does that mean we should exclude ETSI
> audits from the scope? Or should we allow CABs that are not accredited by
> the NABs?
>
>
> This doesn't make a lot of sense. NABs are not Supervisory Bodies. It's
> different. I was referring to government audit schemes for CAs where a
> certain government unit audits a CA under national criteria.
>

Yet the use of ETSI is still regulated.


> I realize it may seem like I'm being difficult, but I think there's a core
> piece missing, which is trying to understand why it's important for some
> members to exclude some other CAs that have had long-standing operations.
> This is particularly relevant for the discussion of the S/MIME charter, in
> which there is significant and extant set of 'trusted' certificates, in a
> variety of software, that does not meet the criteria for participation.
> They would be excluded from participating in engaging or drafting the new
> criteria, by virtue of the Forum membership criteria, and I think that's
> something we should be thinking very carefully about and articulating what
> properties we expect of CAs and why.
>
>
> IMHO we need audit requirements that have undergone enough scrutiny and
> quality assurance. International standards like ISO, WebTrust and ETSI have
> such a process which provides better assurance for the audit outcome.
> That's my personal view. We can always listen to other schemes and we would
> welcome input from governments (as Interested Parties) if they choose to
> participate. If these schemes became so useful and comparable with existing
> international schemes, then the S/MIME Working Group could decide to add
> those schemes in the criteria for Membership and possibly in the produced
> Guidelines.
>

I'm trying to understand the /why/ you take that personal view. I see no
objective reasoning to support that.
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Bylaws: Update Membership Criteria (section 2.1)

2019-01-29 Thread Dimitris Zacharopoulos (HARICA) via Public 



On 29/1/2019 4:56 μ.μ., Ryan Sleevi wrote:



On Tue, Jan 29, 2019 at 2:18 AM Dimitris Zacharopoulos 
mailto:ji...@it.auth.gr>> wrote:




On 28/1/2019 8:48 μ.μ., Ryan Sleevi via Public wrote:



On Thu, Jan 24, 2019 at 2:30 PM Dimitris Zacharopoulos (HARICA)
via Public mailto:public@cabforum.org>> wrote:



On 24/1/2019 8:16 μ.μ., Wayne Thayer via Public wrote:

On today's call we discussed a number of changes to the
bylaws aimed at clarifying the rules for membership. The
proposal for section 2.1(a)(1) resulting from today's
discussion is:

Certificate Issuer: The member organization operates a
certification authority that has a publicly-available
audit report or attestation statement that meets the
following requirements:
* Is based on the full, current version of the WebTrust
for CAs, ETSI EN 319 411-1 , or ETSI EN 319 411-2 audit
criteria


Using the example reports for discussion (
http://www.webtrust.org/practitioner-qualifications/docs/item85808.pdf )

If a CA does not escrow CA keys, does not provide subscriber key
generation services, or suspension services, does that count as
being based on the "full, current version"? (Page 11, paragraph 2)


I think so, yes. Based on the exact CA operations, the exact audit
scope is determined. The Forum has set the WebTrust for CAs and
ETSI EN 319 411-1 as an absolute minimum that includes attestation
of the existence of reasonable organizational and technical
controls. If you recall, I had proposed that for the SCWG we
should also require WebTrust for CAs Baseline and NetSec because
they are already included in ETSI EN 319 411-1 and are more
suitable for SSL/TLS Certificates. If a CA obtains a WebTrust for
CAs or ETSI EN 319 411-1 audit report, it means that the core CA
services are there and are operational.


I don't believe this is a correct understanding. By highlighting that 
it's acceptable to carve out the scope, you're seemingly acknowledging 
that it's acceptable to take subsets of the audit criteria. For 
example, if I provided an audit for the physical security controls of 
my data center against the WebTrust for CAs criteria, is that 
sufficient for membership as a CA?


This isn't theoretical; at least one CA member provides such audits, 
as they use such a third-party datacenter. If the datacenter provided 
just their report, would they qualify? If they don't, then what is the 
property that we're trying to achieve, and why, so that we can do it?


Would this WebTrust for CAs audit report be sufficient for acceptance in 
a Root Program? I don't think so.  All these years, CA/B Forum Members 
have been accepted by providing WebTrust for CAs and ETSI reports that 
include core PKI procedures. What you describe is probably an exception 
and we can decide how to handle this exception if in fact we ever 
receive an application for participation in a WG with a WebTrust for CAs 
audit report scoping just the physical security of a Datacenter. I'm 
hope that CA had other WebTrust for CAs reports for their other operations.



Root programs have audit requirements exceptions and this applies
equally to Microsoft and Mozilla. I don't disagree to being more
inclusive but I believe the Forum must have objective and specific
requirements based on some international standards and not just
government regulations.


Then by this goal, I don't believe our current membership criteria 
meet this. For example, a qualified auditor is determined by... 
government regulations in the case of ETSI. Does that mean we should 
exclude ETSI audits from the scope? Or should we allow CABs that are 
not accredited by the NABs?


This doesn't make a lot of sense. NABs are not Supervisory Bodies. It's 
different. I was referring to government audit schemes for CAs where a 
certain government unit audits a CA under national criteria.




I realize it may seem like I'm being difficult, but I think there's a 
core piece missing, which is trying to understand why it's important 
for some members to exclude some other CAs that have had long-standing 
operations. This is particularly relevant for the discussion of the 
S/MIME charter, in which there is significant and extant set of 
'trusted' certificates, in a variety of software, that does not meet 
the criteria for participation. They would be excluded from 
participating in engaging or drafting the new criteria, by virtue of 
the Forum membership criteria, and I think that's something we should 
be thinking very carefully about and articulating what properties we 
expect of CAs and why.


IMHO we need audit requirements that have undergone enough scrutiny and 
quality assurance. International standards like ISO, WebTrust and ETSI 
have such a process which provides better assurance for the audit 
outcome. That's

Re: [cabfpub] Bylaws: Update Membership Criteria (section 2.1)

2019-01-29 Thread Ryan Sleevi via Public 
On Tue, Jan 29, 2019 at 2:18 AM Dimitris Zacharopoulos 
wrote:

>
>
> On 28/1/2019 8:48 μ.μ., Ryan Sleevi via Public wrote:
>
>
>
> On Thu, Jan 24, 2019 at 2:30 PM Dimitris Zacharopoulos (HARICA) via Public
>  wrote:
>
>>
>>
>> On 24/1/2019 8:16 μ.μ., Wayne Thayer via Public wrote:
>>
>> On today's call we discussed a number of changes to the bylaws aimed at
>> clarifying the rules for membership. The proposal for section 2.1(a)(1)
>> resulting from today's discussion is:
>>
>> Certificate Issuer: The member organization operates a certification
>>> authority that has a publicly-available audit report or attestation
>>> statement that meets the following requirements:
>>> * Is based on the full, current version of the WebTrust for CAs, ETSI EN
>>> 319 411-1 , or ETSI EN 319 411-2 audit criteria
>>>
>> Using the example reports for discussion (
> http://www.webtrust.org/practitioner-qualifications/docs/item85808.pdf )
>
> If a CA does not escrow CA keys, does not provide subscriber key
> generation services, or suspension services, does that count as being based
> on the "full, current version"? (Page 11, paragraph 2)
>
>
> I think so, yes. Based on the exact CA operations, the exact audit scope
> is determined. The Forum has set the WebTrust for CAs and ETSI EN 319 411-1
> as an absolute minimum that includes attestation of the existence of
> reasonable organizational and technical controls. If you recall, I had
> proposed that for the SCWG we should also require WebTrust for CAs Baseline
> and NetSec because they are already included in ETSI EN 319 411-1 and are
> more suitable for SSL/TLS Certificates. If a CA obtains a WebTrust for CAs
> or ETSI EN 319 411-1 audit report, it means that the core CA services are
> there and are operational.
>

I don't believe this is a correct understanding. By highlighting that it's
acceptable to carve out the scope, you're seemingly acknowledging that it's
acceptable to take subsets of the audit criteria. For example, if I
provided an audit for the physical security controls of my data center
against the WebTrust for CAs criteria, is that sufficient for membership as
a CA?

This isn't theoretical; at least one CA member provides such audits, as
they use such a third-party datacenter. If the datacenter provided just
their report, would they qualify? If they don't, then what is the property
that we're trying to achieve, and why, so that we can do it?


> Root programs have audit requirements exceptions and this applies equally
> to Microsoft and Mozilla. I don't disagree to being more inclusive but I
> believe the Forum must have objective and specific requirements based on
> some international standards and not just government regulations.
>

Then by this goal, I don't believe our current membership criteria meet
this. For example, a qualified auditor is determined by... government
regulations in the case of ETSI. Does that mean we should exclude ETSI
audits from the scope? Or should we allow CABs that are not accredited by
the NABs?

I realize it may seem like I'm being difficult, but I think there's a core
piece missing, which is trying to understand why it's important for some
members to exclude some other CAs that have had long-standing operations.
This is particularly relevant for the discussion of the S/MIME charter, in
which there is significant and extant set of 'trusted' certificates, in a
variety of software, that does not meet the criteria for participation.
They would be excluded from participating in engaging or drafting the new
criteria, by virtue of the Forum membership criteria, and I think that's
something we should be thinking very carefully about and articulating what
properties we expect of CAs and why.


> * Covers a period of at least 60 days
>>>
>> I'm curious for feedback from the ETSI folks, but perhaps a more
> inclusive definition would be
> - "Reports on the operational effectiveness of controls for a historic
> period of at least 60 days"
>
> The context being that ETSI is a certification scheme, but as part of that
> certification, the CAB "may" ("should") examine the historic evidence for
> some period of time. 7.9 of 319 403 only requires "since the previous audit"
>
>
> I am not representing ETSI or ACAB'c but if there are concerns with this
> requirement we can solve this issue using the language proposed by Wayne
> "Covers a period of at least 60 days". I would use "Covers a period of
> operations of at least 60 days".
>

I'm not sure what this is a response to. I was pointing out the issues with
the language proposed by Wayne and why it's insufficient, so it's not clear
to me how you've resolved that.
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public