<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 29, 2019 at 12:11 PM Dimitris Zacharopoulos <<a href="mailto:jimmy@it.auth.gr">jimmy@it.auth.gr</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<br>
<br>
<div class="gmail-m_5411793680582687473moz-cite-prefix">On 29/1/2019 4:56 μ.μ., Ryan Sleevi
wrote:</div><blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<div>This isn't theoretical; at least one CA member provides
such audits, as they use such a third-party datacenter. If
the datacenter provided just their report, would they
qualify? If they don't, then what is the property that we're
trying to achieve, and why, so that we can do it?</div>
</div>
</div>
</blockquote>
<br>
Would this WebTrust for CAs audit report be sufficient for
acceptance in a Root Program? I don't think so. All these years,
CA/B Forum Members have been accepted by providing WebTrust for CAs
and ETSI reports that include core PKI procedures. What you describe
is probably an exception and we can decide how to handle this
exception if in fact we ever receive an application for
participation in a WG with a WebTrust for CAs audit report scoping
just the physical security of a Datacenter. I'm hope that CA had
other WebTrust for CAs reports for their other operations.<br></div></blockquote><div><br></div><div>Unfortunately, this doesn't really answer the question posed, and doesn't move us closer to understanding.</div><div><br></div><div>Your response seems to suggest that the bar is "Whatever is enough to be trusted by a Certificate Consumer", which is the suggestion I had made elsewhere, as it avoids the ambiguity of the Forum interpreting and/or setting these guidelines, and instead moves to a very objective model that we can use and that can be extended if necessary.</div><div><br></div><div>You suggest it's an exception, but I think it bears repeated reminding: As the Forum looks to undertake "new" work (in the case of S/MIME or Code Signing), where there exist no objective industry-accepted audit criteria, and instead a lose assortment, which includes, but is not limited to, WebTrust for CAs, then I think our definition of membership needs to evolve to reflect that. We cannot take on this 'new' work without figuring out how to include those either affected by or with value to contribute to the discussions. The selection of "Webtrust for CAs" or "ETSI" is merely a codification of existing SSL/TLS Certificate Consumer practice, but it's not robust to handle that new work.</div><div><br></div><div>So, to again put the question back to you: Do you think there's some property, beyond "accepted by a Certificate Consumer", that you feel is essential for the Forum to capture within its membership requirements?</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF"><blockquote type="cite"><div dir="ltr"><div class="gmail_quote">
<div>Then by this goal, I don't believe our current membership
criteria meet this. For example, a qualified auditor is
determined by... government regulations in the case of ETSI.
Does that mean we should exclude ETSI audits from the scope?
Or should we allow CABs that are not accredited by the NABs?</div>
</div>
</div>
</blockquote>
<br>
This doesn't make a lot of sense. NABs are not Supervisory Bodies.
It's different. I was referring to government audit schemes for CAs
where a certain government unit audits a CA under national criteria.
</div></blockquote><div><br></div><div>Yet the use of ETSI is still regulated.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF"><blockquote type="cite"><div dir="ltr"><div class="gmail_quote"><div>I realize it may seem like I'm being difficult, but I
think there's a core piece missing, which is trying to
understand why it's important for some members to exclude
some other CAs that have had long-standing operations. This
is particularly relevant for the discussion of the S/MIME
charter, in which there is significant and extant set of
'trusted' certificates, in a variety of software, that does
not meet the criteria for participation. They would be
excluded from participating in engaging or drafting the new
criteria, by virtue of the Forum membership criteria, and I
think that's something we should be thinking very carefully
about and articulating what properties we expect of CAs and
why.</div>
</div>
</div>
</blockquote>
<br>
IMHO we need audit requirements that have undergone enough scrutiny
and quality assurance. International standards like ISO, WebTrust
and ETSI have such a process which provides better assurance for the
audit outcome. That's my personal view. We can always listen to
other schemes and we would welcome input from governments (as
Interested Parties) if they choose to participate. If these schemes
became so useful and comparable with existing international schemes,
then the S/MIME Working Group could decide to add those schemes in
the criteria for Membership and possibly in the produced Guidelines.<br></div></blockquote><div><br></div><div>I'm trying to understand the /why/ you take that personal view. I see no objective reasoning to support that. </div></div></div>