<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""></div><div class=""> <br class="">
<div><br class=""><blockquote type="cite" class=""><div class="">On 13 Mar 2020, at 17:21, Ryan Sleevi via Public <<a href="mailto:public@cabforum.org" class="">public@cabforum.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">Thanks Clint.<div class=""><br class=""></div><div class="">We still have a number of concerns, many of which have been captured in the minutes and, in past meetings, received commitment from DigiCert that these would be addressed.</div><div class=""><br class=""></div><div class="">To avoid circulating a bunch of Word docs around, it seems like a reasonable next step would the conversion to Markdown and having inline discussion.</div><div class=""><br class=""></div><div class="">Thematically, these elements include:</div><div class="">1) If natural or legal identity is included in scope, it's clearly indicated that work on such efforts will not begin until the successful adoption of standard controls on domain / email validation. For example, this was discussed at Thessaloniki and proposed by DigiCert - <a href="https://cabforum.org/2019/08/16/minutes-for-ca-browser-forum-f2f-meeting-47-thessaloniki-12-13-june-2019/" class="">https://cabforum.org/2019/08/16/minutes-for-ca-browser-forum-f2f-meeting-47-thessaloniki-12-13-june-2019/</a> as an alternative to the previous path that DigiCert had agreed to in Cupertino .</div><div class=""> - The solution for this needs to be a clear articulation of the priority of activities, and a commitment in charter that the identity work does not begin unless and until a common baseline has been delivered for email/domain validation</div><div class="">2) The removal of the government equivalent audit was something discussed in Cupertino - <a href="https://cabforum.org/2019/05/03/minutes-for-ca-browser-forum-f2f-meeting-46-cupertino-12-14-march-2019/" class="">https://cabforum.org/2019/05/03/minutes-for-ca-browser-forum-f2f-meeting-46-cupertino-12-14-march-2019/</a> - as being intentional to prevent unnecessary exclusion. For example, see the discussion regarding the US Federal PKI's approach</div><div class=""> - It looks like there was some concern about why this bullet existed, and its removal might have just been due to lack of context with the past discussions</div><div class="">3) The transition from "updates" to "support" misses much of the intent with Ballot 205 - <a href="https://cabforum.org/2017/07/06/ballot-205-membership-related-clarifications/" class="">https://cabforum.org/2017/07/06/ballot-205-membership-related-clarifications/</a> </div><div class=""> - It introduces a new issue, regarding "end of life", which potentially allows one to declare an "end of life" in 2038, and then ceases all maintenance, while qualifying "support" as providing online documentation</div><div class=""> - Given that this document strives to be a living document of best practices, the intent in Ballot 205 and with the original (now stricken) language was to ensure that participants were invested in the success of the ecosystem. I'm not sure this proposed change adequately encourages this?</div><div class=""> - To be fair, this is somewhat mooted by the fact that if the Forum fails to be a useful venue for discussion, Root Programs can and will make and discuss changes through their existing Root Program policies, so it may be that this is perfectly fine, but just sets up that probability even greater</div><div class="">4) The use of "publicly trusted root" and "publicly trusted" certificate are ill-defined</div><div class=""> - We know and have seen repeatedly the concerns and confusion this causes in the SCWG</div><div class=""> - Any attempt to tie this back to Certificate Consumer is just going to create a circular dependency</div><div class=""> - The SMCWG's scope is to create a common set of minimum guidelines which can be used by Certificate Consumers in evaluating Certificate Issuers, such as by Certificate Issuers incorporating these guidelines into their CP/CPS and through the use of audits which derive auditable criteria that evaluate against such guidelines</div><div class=""><br class=""></div><div class="">These are just a small sampling of some of the issues we've discussed in the past. I appreciate the energy towards getting this out, and I'm glad to see that progress is being made in actually updating these to reflect discussions, but despite the amount of time that's passed since we first began discussing, there are still many core, systemic issues to work through, and still ample feedback that has been provided in good faith that has been committed to be integrated, but not yet integrated. I don't mean that as a criticism for Apple's many welcome improvements, merely that we should continue with this enthusiasm to update, while making sure we're not overlooking things.</div><div class=""><br class=""></div></div><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><div class="gmail_quote" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div dir="ltr" class="gmail_attr">On Thu, Mar 12, 2020 at 11:07 AM Clint Wilson <<a href="mailto:clintw@apple.com" class="">clintw@apple.com</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div style="overflow-wrap: break-word;" class="">Sure thing, here’s a Word formatted version :)<div class=""><br class=""></div><div class=""></div></div><div style="overflow-wrap: break-word;" class=""><div class=""><br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On Mar 12, 2020, at 8:05 AM, Ryan Sleevi <<a href="mailto:sleevi@google.com" target="_blank" class="">sleevi@google.com</a>> wrote:</div><br class=""><div class=""><div dir="ltr" class="">Hey Clint,<div class=""><br class=""></div><div class="">Is it possible to convert that file to a standard format? I'm having trouble opening it </div></div><br class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 11, 2020 at 10:30 PM Clint Wilson <<a href="mailto:clintw@apple.com" target="_blank" class="">clintw@apple.com</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div class="">Hello all,<div class=""><br class=""></div><div class="">I’ve attached below an updated draft charter which addresses the concerns I raised previously, especially with regards to section 4.2.3. There are additionally changes seeking to address Tim and Ryan’s comments/responses below and a few minor updates that seemed warranted as I went through another comprehensive review of the document. For each area changed, there is a corresponding comment; if anything is unclear, please let me know and I’d be happy to address.</div><div class=""><br class=""></div><div class="">Thank you for your patience and understanding in getting this back to the group. Have a great evening!</div><div class="">-Clint</div><div class=""><br class=""></div><div class=""></div></div><div class=""><div class=""><br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On Feb 18, 2020, at 1:57 PM, Ryan Sleevi via Public <<a href="mailto:public@cabforum.org" target="_blank" class="">public@cabforum.org</a>> wrote:</div><br class=""><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><br class=""></div><br class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Feb 18, 2020 at 1:57 PM Tim Hollebeek via Public <<a href="mailto:public@cabforum.org" target="_blank" class="">public@cabforum.org</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div lang="EN-US" class=""><div class=""><div class=""><div class=""><ul type="disc" class=""><li class="MsoNormal"><span class="">Automatic cessation of membership</span><u class=""></u><u class=""></u></li></ul><ul type="disc" class=""><ul type="circle" class=""><li class="MsoNormal"><span class="">The balloted wording around software update cadences introduces some precision/definition issues that would likely prove troublesome in and of themselves.</span><u class=""></u><u class=""></u></li><li class="MsoNormal"><span class="">While some of those issues could be addressed through wordsmithing, the entire precept that membership may be automatically removed based on various conditions (both for Certificate Consumers <i class="">and</i> Issuers) is itself problematic and I think an area rife for improvement (both here and in other charters).</span><u class=""></u><u class=""></u></li></ul></ul><p class="MsoNormal"><span style="color: red;" class="">REJECT: The language is consistent with the language in the other working group charters. Introducing new inconsistencies in this charter would be confusing for all involved. If Apple believes these provisions are problematic, potential improvements should be discussed an applied across all chartered working groups.</span></p></div></div></div></div></blockquote><div class=""><br class=""></div><div class="">I'm not quite sure I understand this rationale, could you explain more.</div><div class=""><br class=""></div><div class="">Why does this charter need to follow the SCWG/CSWG charter? Who is "all involved" that would be confused?</div><div class=""><br class=""></div><div class="">It seems very valuable to learn from mistakes and concerns and address them, but perhaps I'm overlooking something?</div><div class=""> </div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div lang="EN-US" class=""><div class=""><div class=""><ul type="disc" class=""><li class="MsoNormal">Invalid membership requirements/processes<u class=""></u><u class=""></u></li></ul><ul type="disc" class=""><ul type="circle" class=""><li class="MsoNormal">I think Ryan Sleevi has explained most of this better than I could, so I’ll refer to his message instead: <a href="https://cabforum.org/pipermail/public/2020-February/014874.html" target="_blank" class="">https://cabforum.org/pipermail/public/2020-February/014874.html</a>.<u class=""></u><u class=""></u></li><li class="MsoNormal">I looked, but failed to find information as to how mail transfer agents consume S/MIME certificates. However, since it’s included in the ballot I can only conclude that the proposer has relevant and detailed insight into how and why this is a valid categorization for Certificate Consumers and had hoped to be pointed to that information so as to better understand the scope of this proposed CWG.<u class=""></u><u class=""></u></li></ul></ul><p class="MsoNormal"><span style="color: red;" class="">REJECT: This was discussed extensively during the governance reform process, and the current procedures were deemed to be sufficient. This charter simply follows those precedents. Indeed, two other chartered working groups were successfully bootstrapped already.</span></p></div></div></div></blockquote><div class=""><br class=""></div><div class="">I understand one group was the Code Signing Working Group, which perhaps did not have careful or close review from all Forum members due to the explicit lack of intent to participate in the venue or fundamental disagreements about the working group objectives.</div><div class=""><br class=""></div><div class="">However, I'm not sure, what's the other Chartered Working Group you're thinking of? The SCWG explicitly did not follow this process, as part of the Legacy Working Group transition, and so I'm not sure what the other CWG is that avoided this?</div><div class=""><br class=""></div><div class="">Also, while I agree that this was discussed extensively, I must respectfully disagree that the "current procedures were deemed to be sufficient". The current (proposed) procedures were known to be problematic in bootstrapping, something we discussed, and something we knew we could avoid by defining an open and welcoming charter. This WG does not seem to set out to do this.</div><div class=""><br class=""></div><div class="">In all fairness, this seems a repeat of the same issues the bedeviled, and nearly derailed, the Forum in it's first start. The attempt to exclude some CAs, via narrowly and restrictively scoped membership, nearly resulted in the implosion of the Forum, as the management@ archives from 2009 show. Ultimately, it was the Forum's rejection of such exclusionary attempts that helped grow the membership. In particular, it was DigiCert who some were trying to prevent from joining the Forum, so it would be unfortunate to have DigiCert repeat that same process.</div><div class=""><br class=""></div><div class="">I'm hoping you're open to addressing these issues, but I don't think we can support the charter without this issue being addressed.</div></div></div>_______________________________________________<br class="">Public mailing list<br class=""><a href="mailto:Public@cabforum.org" target="_blank" class="">Public@cabforum.org</a><br class=""><a href="https://cabforum.org/mailman/listinfo/public" target="_blank" class="">https://cabforum.org/mailman/listinfo/public</a><br class=""></div></blockquote></div><br class=""></div></div></blockquote></div></div></blockquote></div><br class=""></div></div></blockquote></div><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">_______________________________________________</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">Public mailing list</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><a href="mailto:Public@cabforum.org" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">Public@cabforum.org</a><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><a href="https://cabforum.org/mailman/listinfo/public" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">https://cabforum.org/mailman/listinfo/public</a></div></blockquote></div><br class=""></div></body></html>