<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 29/1/2019 7:18 μ.μ., Ryan Sleevi
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CACvaWvYCiJxbsLXKas3-ZqAJDE1xNt_SENhK6QUDrrn5e=GU1g@mail.gmail.com">
<div><br>
</div>
<div>Your response seems to suggest that the bar is "Whatever is
enough to be trusted by a Certificate Consumer", which is the
suggestion I had made elsewhere, as it avoids the ambiguity of
the Forum interpreting and/or setting these guidelines, and
instead moves to a very objective model that we can use and that
can be extended if necessary.</div>
<div><br>
</div>
<div>You suggest it's an exception, but I think it bears repeated
reminding: As the Forum looks to undertake "new" work (in the
case of S/MIME or Code Signing), where there exist no objective
industry-accepted audit criteria, and instead a lose assortment,
which includes, but is not limited to, WebTrust for CAs, then I
think our definition of membership needs to evolve to reflect
that. We cannot take on this 'new' work without figuring out how
to include those either affected by or with value to contribute
to the discussions. The selection of "Webtrust for CAs" or
"ETSI" is merely a codification of existing SSL/TLS Certificate
Consumer practice, but it's not robust to handle that new work.</div>
<div><br>
</div>
<div>So, to again put the question back to you: Do you think
there's some property, beyond "accepted by a Certificate
Consumer", that you feel is essential for the Forum to capture
within its membership requirements?</div>
</blockquote>
<br>
I think I answered this in my last paragraph.<br>
<br>
<blockquote type="cite"
cite="mid:CACvaWvYCiJxbsLXKas3-ZqAJDE1xNt_SENhK6QUDrrn5e=GU1g@mail.gmail.com">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<div>Then by this goal, I don't believe our current
membership criteria meet this. For example, a
qualified auditor is determined by... government
regulations in the case of ETSI. Does that mean we
should exclude ETSI audits from the scope? Or should
we allow CABs that are not accredited by the NABs?</div>
</div>
</div>
</blockquote>
<br>
This doesn't make a lot of sense. NABs are not Supervisory
Bodies. It's different. I was referring to government audit
schemes for CAs where a certain government unit audits a CA
under national criteria.
</div>
</blockquote>
<div><br>
</div>
<div>Yet the use of ETSI is still regulated.</div>
</blockquote>
<br>
Then we have different terminology for "regulation". In my
understanding and interpretation, a "regulation" is a "law" or
"obligation" that is mandated by local law in a local jurisdiction.
In the EU case, it could be a law or obligation mandated by a
Regulation voted by the European Council. NABs set their own rules
based on EA requirements and international standards.<br>
<br>
<blockquote type="cite"
cite="mid:CACvaWvYCiJxbsLXKas3-ZqAJDE1xNt_SENhK6QUDrrn5e=GU1g@mail.gmail.com">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<div>I realize it may seem like I'm being difficult, but
I think there's a core piece missing, which is trying
to understand why it's important for some members to
exclude some other CAs that have had long-standing
operations. This is particularly relevant for the
discussion of the S/MIME charter, in which there is
significant and extant set of 'trusted' certificates,
in a variety of software, that does not meet the
criteria for participation. They would be excluded
from participating in engaging or drafting the new
criteria, by virtue of the Forum membership criteria,
and I think that's something we should be thinking
very carefully about and articulating what properties
we expect of CAs and why.</div>
</div>
</div>
</blockquote>
<br>
IMHO we need audit requirements that have undergone enough
scrutiny and quality assurance. International standards like
ISO, WebTrust and ETSI have such a process which provides
better assurance for the audit outcome. That's my personal
view. We can always listen to other schemes and we would
welcome input from governments (as Interested Parties) if they
choose to participate. If these schemes became so useful and
comparable with existing international schemes, then the
S/MIME Working Group could decide to add those schemes in the
criteria for Membership and possibly in the produced
Guidelines.<br>
</div>
</blockquote>
<div><br>
</div>
<div>I'm trying to understand the /why/ you take that personal
view. I see no objective reasoning to support that. </div>
</blockquote>
<br>
I disagree that for S/MIME there is no set of existing rules. ETSI
EN 319 411-1 (scope LCP, NCP) and AFAIK WebTrust for CAs have been
used as attestations of adequate level of organizational/technical
controls for S/MIME, clientAuthentication and Code Signing
Certificates.<br>
<br>
The main reason I prefer using an international scheme is because it
is more carefully drafted, usually by experts in that area, and have
a good and internationally acceptable quality assurance. The
auditors themselves are assessed by peer reviews (WebTrust) or by
NABs (ETSI). Local laws and National regulations may not have
similar quality level but lower. Auditors are usually a government
agency. I consider the level of audit schemes in the Baseline
Requirements to be a good set of standards to start with because it
sets the bar pretty high from the very beginning. In any case, there
could be exceptions and there might be local laws and regulations
that are outstanding and may set the bar even higher. We should
accept everyone as Interested Parties (we do that already) and
collaborate to extend our set of audit criteria and audit schemes.<br>
<br>
Dimitris.<br>
</body>
</html>