<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 3/7/2018 3:36 μμ, Tim Hollebeek via
Public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:BN6PR14MB11060A598F589339EC5C111C83420@BN6PR14MB1106.namprd14.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:windowtext">This was
discussed on the Governance Reform Working Group, and as I
recall, most people agree the distinction probably isn’t
useful and is a historical artifact. But there wasn’t
enough motivation to scrap it.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">It is
intended to support the notion of a company that operates a
root and signs other CA certificates, but doesn’t issue end
entity certificates itself. Such a company is a Root
Certificate Issuer but not a Certificate Issuer.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
In addition to that, a company might be operating only a SubCA that
they have obtained from another company that operates a RootCA.
These companies are also entitled to become Members as a
"Certificate Issuer".<br>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:BN6PR14MB11060A598F589339EC5C111C83420@BN6PR14MB1106.namprd14.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:windowtext">-Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in
0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span
style="color:windowtext"> Public
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of
</b>Adriano Santoni via Public<br>
<b>Sent:</b> Tuesday, July 3, 2018 2:41 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] New Server Certificate
Working Group<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hi Kirk,<o:p></o:p></p>
<p>based on these definitions, it seems to me that most CAs
among CABF members fall into both categories. <o:p></o:p></p>
<p>What is the purpose of distinguishing between the two,
after all?<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Il 03/07/2018 01:30, Kirk Hall via
Public ha scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">I would look again at the definitions
on the two different ways to participate as a CA. <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">My guess is that CAs who have and use
their own trusted roots will choose (2) Root Certificate
Issuer, while CAs who do not have their own trusted roots
will choose (1) Certificate Issuer, but I’m not sure on
that. The only reason why we are asking Members to
declare their status is just so everyone can know and can
confirm that the Member meets the membership
qualifications. <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"
style="margin-left:.5in;text-autospace:none">(1)
Certificate Issuer: The member organization operates a
certification authority that has a current and successful
WebTrust for CAs audit, or ETSI TS 102042, ETSI 101456, or
ETSI EN 319 411-1 audit report prepared by a
properly-qualified auditor, <b><u>and that actively
issues certificates to Web servers that are openly
accessible from the Internet</u></b>, such
certificates being treated as valid when using a browser
created by a Certificate Consumer Member. Applicants that
are not actively issuing certificates but otherwise meet
membership criteria may be granted Associate Member status
under Bylaw Sec. 3.1 for a period of time to be designated
by the Forum.<o:p></o:p></p>
<p class="MsoNormal"
style="margin-left:.5in;text-autospace:none"> <o:p></o:p></p>
<p class="MsoNormal"
style="margin-left:.5in;text-autospace:none">(2) Root
Certificate Issuer: The member organization operates a
certification authority that has a current and successful
WebTrust for CAs, or ETSI TS 102042, ETSI TS 101456, ETSI
EN 319 411-1 audit report prepared by a properly-qualified
auditor, <b><u>and that actively issues certificates to
subordinate CAs that, in turn, actively issue
certificates to Web servers</u></b> that are openly
accessible from the Internet, such certificates being
treated as valid when using a browser created by a
Certificate Consumer Member. Applicants that are not
actively issuing certificates but otherwise meet
membership criteria may be granted Associate Member status
under Bylaw Sec. 3.1 for a period of time to be designated
by the Forum.<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Peter Miškovič [<a
href="mailto:Peter.Miskovic@disig.sk"
moz-do-not-send="true">mailto:Peter.Miskovic@disig.sk</a>]
<br>
<b>Sent:</b> Monday, July 2, 2018 2:34 AM<br>
<b>To:</b> Kirk Hall <a
href="mailto:Kirk.Hall@entrustdatacard.com"
moz-do-not-send="true"><Kirk.Hall@entrustdatacard.com></a><br>
<b>Cc:</b> CA/Browser Forum Public Discussion List <a
href="mailto:public@cabforum.org"
moz-do-not-send="true"><public@cabforum.org></a>;
Ben Wilson <a href="mailto:ben.wilson@digicert.com"
moz-do-not-send="true"><ben.wilson@digicert.com></a><br>
<b>Subject:</b> [EXTERNAL]RE: New Server Certificate
Working Group<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Hi Kirk,</span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><span style="color:#1F497D">could
you explain to me difference between (1) and (2)? We
are CA which issue subordinate CAs for our own
purpose and from them actively issues certificates
to Web servers</span><span style="color:#1F497D"
lang="SK">. </span><span style="color:#1F497D">Am
I right if I suppose that we are “Root Certificate
Issuer” and not only “Certificate Issuer”.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Thanks.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Regards</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Peter</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="SK"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="SK"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="SK"> </span><o:p></o:p></p>
<p class="MsoNormal"><b>From:</b> Public <<a
href="mailto:public-bounces@cabforum.org"
moz-do-not-send="true">public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Kirk Hall via Public<br>
<b>Sent:</b> Saturday, June 30, 2018 12:26 AM<br>
<b>To:</b> Ben Wilson <<a
href="mailto:ben.wilson@digicert.com"
moz-do-not-send="true">ben.wilson@digicert.com</a>>;
CABFPub <<a href="mailto:public@cabforum.org"
moz-do-not-send="true">public@cabforum.org</a>><br>
<b>Subject:</b> Re: [cabfpub] New Server Certificate
Working Group<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="SK"> </span><o:p></o:p></p>
<p class="MsoNormal">Ben, on the wiki page you created, <u>can
you add a column</u> between the column “<span
style="background:white">Date of Declaration” and the
column “Date of Withdrawal” and label it “Type”. Then
maybe put on the page at the top a <u>guide to the
three types of Members and the one type of Associate
member</u>, something like this:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="background:white"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="background:white">Type</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="background:white">1 = Certificate Issuer</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="background:white">2 = Root Certificate Issuer</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="background:white">3 = Certificate Consumer</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="background:white">4 = Associate Member</span><o:p></o:p></p>
<p class="MsoNormal"><span style="background:white"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="background:white">We
probably should also <u>post these definitions</u> on
the wiki page from the Server Certificate Working Group
Charter to remind people what the terms mean.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="background:white"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="margin-left:.5in;text-autospace:none">(1)
Certificate Issuer: The member organization operates a
certification authority that has a current and successful
WebTrust for CAs audit, or ETSI TS 102042, ETSI 101456, or
ETSI EN 319 411-1 audit report prepared by a
properly-qualified auditor, and that actively issues
certificates to Web servers that are openly accessible
from the Internet, such certificates being treated as
valid when using a browser created by a Certificate
Consumer Member. Applicants that are not actively issuing
certificates but otherwise meet membership criteria may be
granted Associate Member status under Bylaw Sec. 3.1 for a
period of time to be designated by the Forum.<o:p></o:p></p>
<p class="MsoNormal"
style="margin-left:.5in;text-autospace:none"> <o:p></o:p></p>
<p class="MsoNormal"
style="margin-left:.5in;text-autospace:none">(2) Root
Certificate Issuer: The member organization operates a
certification authority that has a current and successful
WebTrust for CAs, or ETSI TS 102042, ETSI TS 101456, ETSI
EN 319 411-1 audit report prepared by a properly-qualified
auditor, and that actively issues certificates to
subordinate CAs that, in turn, actively issue certificates
to Web servers that are openly accessible from the
Internet, such certificates being treated as valid when
using a browser created by a Certificate Consumer Member.
Applicants that are not actively issuing certificates but
otherwise meet membership criteria may be granted
Associate Member status under Bylaw Sec. 3.1 for a period
of time to be designated by the Forum.<o:p></o:p></p>
<p class="MsoNormal"
style="margin-left:.5in;text-autospace:none"> <o:p></o:p></p>
<p class="MsoNormal"
style="margin-left:.5in;text-autospace:none">(3) A
Certificate Consumer can participate in this Working Group
if it produces a software product intended for use by the
general public for browsing the Web securely.<o:p></o:p></p>
<p class="MsoNormal"><span style="background:white"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Ben Wilson [<a
href="mailto:ben.wilson@digicert.com"
moz-do-not-send="true">mailto:ben.wilson@digicert.com</a>]
<br>
<b>Sent:</b> Friday, June 29, 2018 10:24 AM<br>
<b>To:</b> CABFPub <<a
href="mailto:public@cabforum.org"
moz-do-not-send="true">public@cabforum.org</a>><br>
<b>Cc:</b> Kirk Hall <<a
href="mailto:Kirk.Hall@entrustdatacard.com"
moz-do-not-send="true">Kirk.Hall@entrustdatacard.com</a>><br>
<b>Subject:</b> [EXTERNAL]New Server Certificate
Working Group<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Hi All,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">As Kirk mentioned during the
teleconference call yesterday, we are in the process of
spinning up the Server Certificate Working Group and will
hold our first meeting on July 12. Kirk and I will be
sending out a more formal announcement of that meeting and
solicitation for participation. <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">However, given that the new Bylaws come
into effect early next week, I felt it was important that
we start the transition before then. I propose that the
Forum’s mechanism for formally declaring participation in
the Server Certificate Working Group be that existing
members and interested parties (who have signed the
Agreement for IPR Policy v. 1.3) send an email to Kirk and
me, respectively as Chair and Vice-Chair of the WG, and
formally declare their participation in the WG. (I had
contemplated that everyone might send their email to the
public list, but I felt that all of those emails might
clutter your inboxes.) <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">As a follow up task to this
declaration, I’d ask that CABF members list the name of
their organization here <a
href="https://clicktime.symantec.com/a/1/Z5iksn-Z4giqu5LXjtOy5lvv-EcA82NNDuGQ6LBS_LQ=?d=3adJVR-xxx3LyKCZllNXeplqsmDh9fveYqZ90S9BBWSvewMCMzf02pELaKa8sHkZkuLwTOBalO58w3476pC5A7Q-AXEdm9VLJKdxNeBjQ-NTqz4VKqvzKkC5aao_x3UtdMlYhokgsryTxy62NSrKDtPjUz1qyROMCu39wb778LFBSn6-sYD8JWxgCA7v9ghvSz7L6We0exflf_h2DE7JnXQhd3P1JpQmhCuznX_Ox_Vr_mg1M-TXFdAZKA5yFDXRWs3T0XoveJ2a76oqyaYxfz-XX485di2BsfXWNyMuewqQh8r-AEa53lWpXQFoHo7Jyu2e_RwvEALPPqnq7SoaRi9bkAzeNwT6pA2tMjyPBlq4y0D7wSyRLWml73Mp8DRqZ44h8ZSZcYYsGOff6r6dLkoW9Iirlg%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fwiki%2FServer%2520Certificate%2520Working%2520Group"
moz-do-not-send="true">https://cabforum.org/wiki/Server%20Certificate%20Working%20Group</a>.
If you are an interested party, we will add your name as a
participant when we receive your email.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Also, everyone is welcome to subscribe
to the WG’s mailing list here - <a
href="https://clicktime.symantec.com/a/1/Y1n9kMENF1mFmHFkmnbIKEKsdovpFj7PQ_CxUuCUa3I=?d=3adJVR-xxx3LyKCZllNXeplqsmDh9fveYqZ90S9BBWSvewMCMzf02pELaKa8sHkZkuLwTOBalO58w3476pC5A7Q-AXEdm9VLJKdxNeBjQ-NTqz4VKqvzKkC5aao_x3UtdMlYhokgsryTxy62NSrKDtPjUz1qyROMCu39wb778LFBSn6-sYD8JWxgCA7v9ghvSz7L6We0exflf_h2DE7JnXQhd3P1JpQmhCuznX_Ox_Vr_mg1M-TXFdAZKA5yFDXRWs3T0XoveJ2a76oqyaYxfz-XX485di2BsfXWNyMuewqQh8r-AEa53lWpXQFoHo7Jyu2e_RwvEALPPqnq7SoaRi9bkAzeNwT6pA2tMjyPBlq4y0D7wSyRLWml73Mp8DRqZ44h8ZSZcYYsGOff6r6dLkoW9Iirlg%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg"
moz-do-not-send="true">https://cabforum.org/mailman/listinfo/servercert-wg</a>.
<o:p></o:p></p>
<p class="MsoNormalCxSpMiddle"
style="margin-bottom:8.0pt;mso-add-space:auto;line-height:105%"> <o:p></o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Ben<o:p></o:p></p>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Public@cabforum.org" moz-do-not-send="true">Public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://clicktime.symantec.com/a/1/Aj6tpOiWcYYPhDM4-TQA0N-pHeNYuhJUuXgmcPnG8HU=?d=3adJVR-xxx3LyKCZllNXeplqsmDh9fveYqZ90S9BBWSvewMCMzf02pELaKa8sHkZkuLwTOBalO58w3476pC5A7Q-AXEdm9VLJKdxNeBjQ-NTqz4VKqvzKkC5aao_x3UtdMlYhokgsryTxy62NSrKDtPjUz1qyROMCu39wb778LFBSn6-sYD8JWxgCA7v9ghvSz7L6We0exflf_h2DE7JnXQhd3P1JpQmhCuznX_Ox_Vr_mg1M-TXFdAZKA5yFDXRWs3T0XoveJ2a76oqyaYxfz-XX485di2BsfXWNyMuewqQh8r-AEa53lWpXQFoHo7Jyu2e_RwvEALPPqnq7SoaRi9bkAzeNwT6pA2tMjyPBlq4y0D7wSyRLWml73Mp8DRqZ44h8ZSZcYYsGOff6r6dLkoW9Iirlg%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fpublic" moz-do-not-send="true">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<!--'"--><br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>