Re: [cabfpub] Ballot Forum-11: Creation of S/MIME Certificates Working Group

2020-02-05 Thread Dimitris Zacharopoulos (HARICA) via Public 

Tim, Wayne, Adriano,

Apple made a contribution and although HARICA disagrees with most of the 
recommended changes I believe there should be some discussion around 
that. Unfortunately, although I had started working on a response, I 
didn't have time to complete it on time. I was hoping to see some 
comments/responses from the proposer and endorsers before the voting 
period began.


For what it's worth, here is a list of my comments (attached). My 
biggest concern is the Certificate Consumer members that qualify based 
on "mail transfer agent". I would certainly like some more information 
about that before HARICA votes. Other than that, the charter looks good 
to me.



Best regards,
Dimitris.



On 2020-02-06 12:45 π.μ., Wayne Thayer via Public wrote:
Based on my recollection of the Guangzhou discussion, and supported by 
the minutes, the "path forward agreed to in Guangzhou" was that we 
would take this charter to a ballot without further attempts to 
resolve the issue of including identity in the charter's scope. There 
does not appear to be a path to consensus on this issue, despite the 
considerable amount of time spent discussing it. I'm unhappy with this 
approach, but as one of the endorsers, I don't see an alternative 
other than "take it to a vote" that gets this much-needed WG formed 
any time soon.


- Wayne

On Wed, Feb 5, 2020 at 3:22 PM Ryan Sleevi via Public 
mailto:public@cabforum.org>> wrote:


Hi Tim,

Could you point to where that's reflected in the minutes? Our
understanding here at Google is that Apple's proposed changes,
which we support and would be unable to participate without
incorporating, is that it accurately and correctly reflects the
discussions in London [1], reiterated in Cupertino [2], and agreed
upon in Thessaloniki [3]. It appears that, following that, the
proposers of that ballot ignored that consensus and conclusion,
and yet the discussion of Guangzhou [4] does not indicate there
was consensus to do so.

I'm hoping we've just overlooked something in the minutes, but
Apple's proposed changes seem imminently reasonable, and a
worthwhile path to drafting requirements that consuming software,
such as mail clients (both native and Web), can use and consume as
part of their root programs, as an alternative to their
root-program-specific requirements.

[1]

https://cabforum.org/2018/06/06/minutes-for-ca-browser-forum-f2f-meeting-44-london-6-7-june-2018/#New-SMIME-Working-Group-Charter
[2]

https://cabforum.org/2019/05/03/minutes-for-ca-browser-forum-f2f-meeting-46-cupertino-12-14-march-2019/#Creation-of-additional-Working-Groups---Secure-Mail
"Dean – We have a blank slate here and it seems the reluctance was
to make it a narrow scope and then focus on either one aspect of
SMIME. First task might be how to validate an email, and then
focus on identity validation. Some comments were to make the chart
narrow to focus on one task while others say to include all
proposed tasks to not have to recharter which has caused issues in
the past."
[3]

https://cabforum.org/2019/08/16/minutes-for-ca-browser-forum-f2f-meeting-47-thessaloniki-12-13-june-2019/#Creation-of-Additional-Groups---Secure-Mail
"Eventually, all parties in the conversation came to the
conclusion that it would behoove the Forum to scope the working
group charter to domain validation, first, before adding other
functionality once that portion was locked-down."
[4]

https://cabforum.org/2019/12/12/minutes-for-ca-browser-forum-f2f-meeting-48-guangzhou-5-7-november-2019/#Creation-of-Additional-Groups---Secure-Mail


___
Public mailing list
Public@cabforum.org 
https://cabforum.org/mailman/listinfo/public


___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public




Draft SMIME Charter 2020-01-31-ctw-HARICA.docx
Description: MS-Word 2007 document
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Ballot Forum-11: Creation of S/MIME Certificates Working Group

2020-02-05 Thread Ryan Sleevi via Public 
Just to make sure the timing is accurate:

2018-05 - Tim Hollebeek circulates a draft charter, largely modeled after
the code signing charter [1].
2018-06 - F2F 44 provides significant discussion on this issue and the
potential concerns. [2]
2018-07 - Ballot 208 [3] is finalized, which sets forth the requirements
for creating new CWG charters.
2018-10 - F2F 45 reiterates the concerns previously raised [4], with the
conclusion being


>- Ben – It sounds like the initial charter should focus on three
>aspects: profile, identity validation of email and identity (host and local
>part), and private key protection.
>- Kirk Hall, Entrust – Is that enough to start drafting a charter?
>- Ben – Yes, I can start a charter based on those three principles.
>
> 2019-01 - Ben Wilson circulates an updated draft for feedback [5]. This
draft is substantially more expansive, due to the changes in Ballot 206.
2019-03 - F2F 46 is held in Cupertino. While the minutes show [6] there is
still scope issue, a clear and viable path forward, previously raised, is
reiterated.

Dean – We have a blank slate here and it seems the reluctance was to make
> it a narrow scope and then focus on either one aspect of SMIME. First task
> might be how to validate an email, and then focus on identity validation.
> Some comments were to make the chart narrow to focus on one task while
> others say to include all proposed tasks to not have to recharter which has
> caused issues in the past.
>

2019-06 - F2F 47 is held in Thessaloniki [7], where again we discuss the
same topic.
2019-12 - Tim circulates the first draft version [8], the week before
Christmas. This is the first version that has been circulated since Ben
Wilson's 2019-01 version. Feedback is provided by Wayne [9] to be addressed.
2019-01 - Tim starts the discussion period for this ballot [10]

I highlight this timeline, because it does seem somewhat concerning that
after significant good faith effort to discuss the issues, these are
seemingly intentionally ignored in forcing a vote that intentionally
ignores feedback during the discussion period [11]. For example, [10]
represents the first time of seeing any draft on how the concerns were
raised. Given the significant beneficial edits proposed by Apple, for
example, Google did not submit its many procedural and practical concerns
with the draft language, on the hope that there would be a good faith
effort to engage with and discuss these issues.

It's equally concerning that the effort and time spent in communicating on
the previous draft, in [5], was entirely ignored in [8], which entirely
precipitated the issues in [9]. Substantive issues, such as those raised in
[12], were entirely ignored, and are largely orthogonal to the debate about
identity but to the very core of the charter.

I can understand that, if the view is we are at an impasse, then rough
consensus is a path forward. However, it remains deeply disappointing that
it seems that virtually all feedback, from a variety of participants, has
been ignored, as shown through the minutes and the past proposed changes.
That does not seem to be in the spirit of what you've suggested the intent
is.

[1] https://cabforum.org/pipermail/public/2018-May/013400.html
[2]
https://cabforum.org/2018/06/06/minutes-for-ca-browser-forum-f2f-meeting-44-london-6-7-june-2018/
[3]
https://cabforum.org/2018/04/03/ballot-206-amendment-to-ipr-policy-bylaws-re-working-group-formation/

[4]
https://cabforum.org/2018/10/18/minutes-for-ca-browser-forum-f2f-meeting-45-shanghai-17-18-october-2018/#6-Creation-of-additional-Working-Groups---Secure-Mail-Other
[5] https://cabforum.org/pipermail/public/2019-January/014517.html
[6]
https://cabforum.org/2019/05/03/minutes-for-ca-browser-forum-f2f-meeting-46-cupertino-12-14-march-2019/#Creation-of-additional-Working-Groups---Secure-Mail
[7]
https://cabforum.org/2019/08/16/minutes-for-ca-browser-forum-f2f-meeting-47-thessaloniki-12-13-june-2019/#Creation-of-Additional-Groups---Secure-Mail
[8] https://cabforum.org/pipermail/public/2019-December/014838.html
[9] https://cabforum.org/pipermail/public/2019-December/014839.html
[10] https://cabforum.org/pipermail/public/2020-January/014852.html
[11] https://cabforum.org/pipermail/public/2020-February/014865.html
[12] https://cabforum.org/pipermail/public/2019-January/014521.html

On Wed, Feb 5, 2020 at 5:45 PM Wayne Thayer  wrote:

> Based on my recollection of the Guangzhou discussion, and supported by the
> minutes, the "path forward agreed to in Guangzhou" was that we would take
> this charter to a ballot without further attempts to resolve the issue of
> including identity in the charter's scope. There does not appear to be a
> path to consensus on this issue, despite the considerable amount of time
> spent discussing it. I'm unhappy with this approach, but as one of the
> endorsers, I don't see an alternative other than "take it to a vote" that
> gets this much-needed WG formed any time soon.
>

Re: [cabfpub] Ballot Forum-11: Creation of S/MIME Certificates Working Group

2020-02-05 Thread Wayne Thayer via Public 
Based on my recollection of the Guangzhou discussion, and supported by the
minutes, the "path forward agreed to in Guangzhou" was that we would take
this charter to a ballot without further attempts to resolve the issue of
including identity in the charter's scope. There does not appear to be a
path to consensus on this issue, despite the considerable amount of time
spent discussing it. I'm unhappy with this approach, but as one of the
endorsers, I don't see an alternative other than "take it to a vote" that
gets this much-needed WG formed any time soon.

- Wayne

On Wed, Feb 5, 2020 at 3:22 PM Ryan Sleevi via Public 
wrote:

> Hi Tim,
>
> Could you point to where that's reflected in the minutes? Our
> understanding here at Google is that Apple's proposed changes, which we
> support and would be unable to participate without incorporating, is that
> it accurately and correctly reflects the discussions in London [1],
> reiterated in Cupertino [2], and agreed upon in Thessaloniki [3]. It
> appears that, following that, the proposers of that ballot ignored that
> consensus and conclusion, and yet the discussion of Guangzhou [4] does not
> indicate there was consensus to do so.
>
> I'm hoping we've just overlooked something in the minutes, but Apple's
> proposed changes seem imminently reasonable, and a worthwhile path to
> drafting requirements that consuming software, such as mail clients (both
> native and Web), can use and consume as part of their root programs, as an
> alternative to their root-program-specific requirements.
>
> [1]
> https://cabforum.org/2018/06/06/minutes-for-ca-browser-forum-f2f-meeting-44-london-6-7-june-2018/#New-SMIME-Working-Group-Charter
> [2]
> https://cabforum.org/2019/05/03/minutes-for-ca-browser-forum-f2f-meeting-46-cupertino-12-14-march-2019/#Creation-of-additional-Working-Groups---Secure-Mail
> "Dean – We have a blank slate here and it seems the reluctance was to
> make it a narrow scope and then focus on either one aspect of SMIME. First
> task might be how to validate an email, and then focus on identity
> validation. Some comments were to make the chart narrow to focus on one
> task while others say to include all proposed tasks to not have to
> recharter which has caused issues in the past."
> [3]
> https://cabforum.org/2019/08/16/minutes-for-ca-browser-forum-f2f-meeting-47-thessaloniki-12-13-june-2019/#Creation-of-Additional-Groups---Secure-Mail
> "Eventually, all parties in the conversation came to the conclusion that
> it would behoove the Forum to scope the working group charter to domain
> validation, first, before adding other functionality once that portion was
> locked-down."
> [4]
> https://cabforum.org/2019/12/12/minutes-for-ca-browser-forum-f2f-meeting-48-guangzhou-5-7-november-2019/#Creation-of-Additional-Groups---Secure-Mail
>
>
> ___
> Public mailing list
> Public@cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Ballot Forum-11: Creation of S/MIME Certificates Working Group

2020-02-05 Thread Ryan Sleevi via Public 
Hi Tim,

Could you point to where that's reflected in the minutes? Our understanding
here at Google is that Apple's proposed changes, which we support and would
be unable to participate without incorporating, is that it accurately and
correctly reflects the discussions in London [1], reiterated in Cupertino
[2], and agreed upon in Thessaloniki [3]. It appears that, following that,
the proposers of that ballot ignored that consensus and conclusion, and yet
the discussion of Guangzhou [4] does not indicate there was consensus to do
so.

I'm hoping we've just overlooked something in the minutes, but Apple's
proposed changes seem imminently reasonable, and a worthwhile path to
drafting requirements that consuming software, such as mail clients (both
native and Web), can use and consume as part of their root programs, as an
alternative to their root-program-specific requirements.

[1]
https://cabforum.org/2018/06/06/minutes-for-ca-browser-forum-f2f-meeting-44-london-6-7-june-2018/#New-SMIME-Working-Group-Charter
[2]
https://cabforum.org/2019/05/03/minutes-for-ca-browser-forum-f2f-meeting-46-cupertino-12-14-march-2019/#Creation-of-additional-Working-Groups---Secure-Mail
"Dean – We have a blank slate here and it seems the reluctance was to make
it a narrow scope and then focus on either one aspect of SMIME. First task
might be how to validate an email, and then focus on identity validation.
Some comments were to make the chart narrow to focus on one task while
others say to include all proposed tasks to not have to recharter which has
caused issues in the past."
[3]
https://cabforum.org/2019/08/16/minutes-for-ca-browser-forum-f2f-meeting-47-thessaloniki-12-13-june-2019/#Creation-of-Additional-Groups---Secure-Mail
"Eventually, all parties in the conversation came to the conclusion that it
would behoove the Forum to scope the working group charter to domain
validation, first, before adding other functionality once that portion was
locked-down."
[4]
https://cabforum.org/2019/12/12/minutes-for-ca-browser-forum-f2f-meeting-48-guangzhou-5-7-november-2019/#Creation-of-Additional-Groups---Secure-Mail
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

[cabfpub] Voting Begins: Forum-11: Creation of S/MIME Certificates Working Group

2020-02-05 Thread Tim Hollebeek via Public 
The following ballot is proposed by Tim Hollebeek of DigiCert and endorsed
by Wayne Thayer of Mozilla and Adriano Santoni of Actalis.

 

Ballot Forum-11: Creation of S/MIME Certificates Working Group

 

Purpose of the Ballot

 

The CA/Browser Forum recently underwent a two-year long governance reform
exercise, modifying the Bylaws to allow the creation of working groups that
covered topics other than server certificates.  While originally motivated
by the inability to maintain requirements for code signing certificates, it
was anticipated from the start that this would also provide an opportunity
to create other working groups that could develop and maintain certificate
profiles and requirements for other kinds of certificates.  While a number
of regional and technical standards exist regarding the creation and
issuance of S/MIME certificates, there is no current global forum for
certificate authorities and those who consume or use S/MIME certificates to
come together and develop and maintain policies and standards for those
certificates.  This lack of standards has impeded the adoption and
interoperability of S/MIME certificate worldwide.  This ballot would
establish a working group chartered to develop and maintain such standards
for S/MIME certificates, including but not limited to two important
priorities: a uniform certificate profile for the issuance of
publicly-trusted S/MIME certificates, and validation requirements for such
certificates.

 

-- MOTION BEGINS -

 

Establish S/MIME Certificates Working Group

 

Upon approval of the CAB Forum by ballot in accordance with section 5.3 of
the Bylaws, the S/MIME Certificates Working Group ("SMWG") is created to
perform the activities as specified in the attached Charter.

 

- MOTION ENDS-

 

The procedure for approval of this ballot is as follows:

 

Discussion (7+ days)

 

Start Time: 2020-01-24  14:40:00 EDT

 

End Time: after 2020-01-31 14:40:00 EDT

 

Vote for approval (7 days)

 

Start Time: 2020-02-05 17:10 EDT

 

End Time: 2020-02-12 17:10 EDT

 

 



SMIME Charter 2020-01-24.docx
Description: MS-Word 2007 document


smime.p7s
Description: S/MIME cryptographic signature
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Ballot Forum-11: Creation of S/MIME Certificates Working Group

2020-02-05 Thread Tim Hollebeek via Public 
Thanks for this, but this is fundamentally incompatible with the path forward 
we agreed to in Guangzhou.

 

-Tim

 

From: cli...@apple.com  On Behalf Of Clint Wilson
Sent: Friday, January 31, 2020 7:53 PM
To: Tim Hollebeek ; CABforum1 
Subject: Re: [cabfpub] Ballot Forum-11: Creation of S/MIME Certificates Working 
Group

 

Hi all,

 

I apologize for not getting this feedback in prior to the end of the Discussion 
period. I’ve attached a redlined document with comments and proposed changes 
(though I didn’t update the format to follow the template in the Bylaws). I 
hope this feedback can still be considered prior to the ballot being submitted 
for a vote.

 

Thank you!

-Clint

 



smime.p7s
Description: S/MIME cryptographic signature
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public