<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 30/1/2019 5:59 μ.μ., Ryan Sleevi
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CACvaWvZLL=9jGP-qzvX1pb-=x2k0ghThR6By4UrBFD+MuzWk7g@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<br>
</div>
</blockquote>
[...]<br>
<blockquote type="cite"
cite="mid:CACvaWvZLL=9jGP-qzvX1pb-=x2k0ghThR6By4UrBFD+MuzWk7g@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<div><br>
</div>
<div>The goal of a WG - S/MIME or Code Signing - is not to
produce something that CAs like or even agree with. It's to
produce a set of criteria that reflect the participating
Certificate Consumers needs, so that they can then require
it for participation in their Root Programs. If the
requirements do not meet their needs, such Consumers can
choose not to require them. Similarly, such Consumers can
impose their own requirements above and beyond. In both
situations, it seems extremely valuable to support as
diverse and varied as possible a set of participants, to
provide feedback for Certificate Consumers in developing and
imposing requirements for their programs. I don't see how
the possession of a WebTrust for CAs audit, over, say,
participation in the US Federal PKI, fundamentally improves
the quality of discourse or feedback. This is especially
true if the consequence of developing and imposing such
standards may result in presently-accepted Certificate
Consumers from being excluded from participation in the
future - that's all the more reason to want to ensure their
views and voices are consistently and equally represented.</div>
</div>
</div>
</blockquote>
<br>
I think I mentioned this already that the WG should and will be open
to Interested Parties bringing new and improved ideas for the
development of S/MIME guidelines and if they come from a particular
audit scheme that is currently unknown but otherwise meets the same
level of our "known" audit schemes, I don't believe the WG would
have a problem expanding the list of acceptable audit schemes for
Certificate Issuers.<br>
<br>
If we go back to some <a moz-do-not-send="true"
href="https://cabforum.org/wp-content/uploads/BRv1.2.5.pdf">old
Baseline Requirements</a>, there were more audit schemes allowed:<br>
<br>
"A scheme that audits conformance to ISO 21188:2006; or <br>
4. If a Government CA is required by its Certificate Policy to use a
different internal audit scheme, it MAY use such scheme provided
that the audit either (a) encompasses all requirements of one of the
above schemes or (b) consists of comparable criteria that are
available for public review. <br>
<br>
Whichever scheme is chosen, it MUST incorporate periodic monitoring
and/or accountability procedures to ensure that its audits continue
to be conducted in accordance with the requirements of the scheme.
<br>
<br>
The audit MUST be conducted by a Qualified Auditor, as specified in
Section 17.6. "<br>
<br>
Why were these audit schemes dismissed? The CA/B Forum was working
with Code Signing at the time and developed EV Code Signing
Guidelines. At the same time, the CA/B Forum's Bylaws never had
these other schemes allowed, even from <a moz-do-not-send="true"
href="https://cabforum.org/wp-content/uploads/CA-Browser-Forum-Bylaws-v.-1.0-Ballot-98.pdf">the
very beginning</a>.<br>
<br>
I'm afraid I don't have anything new to add for this issue and will
happily let others state their opinion, especially members who were
engaged from the beginning and can probably better explanation why
there were different audit criteria in the guidelines and different
for CA/B Forum participation.<br>
<br>
<br>
Dimitris.<br>
<br>
</body>
</html>