[cabf_governance] Ballot to Approve Server Certificate Working Group Charter

Virginia Fournier vfournier at apple.com
Mon Aug 14 19:32:55 MST 2017 

Hi Kirk,

Yes, all of the charter requirements should be included in the charter for clarity and so it complies with the new rules.  We should reference the charter in the ballot, and then attach it as Exhibit C to the ballot (if you’re including it with Ballot 206).  If it’s in a separate ballot, it would be Exhibit A. 


Best regards,

Virginia Fournier
Senior Standards Counsel
 Apple Inc.
☏ 669-227-9595
✉︎ vmf at apple.com <mailto:vmf at apple.com>



On Aug 14, 2017, at 5:23 PM, Kirk Hall via Govreform <govreform at cabforum.org> wrote:

To help us move forward, here is a rough draft of a Ballot to create a Server Certificate Working Group to take over the substantive functions of the current Forum as to server certificate requirements.  To create this draft, I essentially cut and pasted from our current Bylaws and BR preambles, which are included below.  Please edit.
 
Do we have to specify membership requirements and voting rules, etc. in this charter as well?
 
We may want to include this initial charter in Ballot 206 so we can start work right away in our new WG once Ballot 206 passes.  Otherwise, we will have a new governance structure, but be unable to apply the structure to any new WG.
 
[draft] Ballot to Approve Server Certificate Working Group Charter
 
A Server Certificate Working Group is hereby created to perform the activities as specified in this Charter, subject to the terms and conditions of the CA/Browser Forum Bylaws and applicable Intellectual Property Rights Agreement, as such documents may be changed from time to time.  The Definitions of the Forum’s Baseline Requirements shall apply to defined terms in this Charter.
 
The authorized scope of the Server Certificate Working Group shall be as follows:
 
1.       To define the guidelines and means of implementation for best practices for TLS server certificates used for authenticating servers accessible through the Internet as a way of providing a heightened security for Internet transactions and creating a more intuitive method of displaying secure sites to Internet users.
 
2.       To specify Baseline Requirements, Extended Validation Guidelines, and other applicable requirements and guidelines to provide guidance and requirements for what a CA should include in its CPS. 
 
3.       To update such requirements and guidelines from time to time, in order to address both existing and emerging threats to online security. 
 
4.       To assume responsibility for the maintenance of and future amendments to the current CA/Browser Forum Baseline Requirements, Extended Validation Requirements, and Network and Certificate System Security Requirements.
 
5.       To perform such other activities that are ancillary to the primary activities listed above.
 
The Server Certificate Working Group will not address certificates intended to be used for code signing, S/MIME, time-stamping, VoIP, IM, or Web services.  The Server Certificate Working Group will not address the issuance, or management of certificates by enterprises that operate their own Public Key Infrastructure for internal purposes only, and for which the Root Certificate is not distributed by any Application Software Supplier.
 
[End of Ballot]
 
*****
 
Existing provisions of the Bylaws and BRs:
 
Bylaw 1.1 Purpose of the Forum:
 
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of leading certification authorities (CAs) and vendors of Internet browser software and other applications.
 
Members of the CA/Browser Forum have worked closely together in defining the guidelines and means of implementation for best practices as a way of providing a heightened security for Internet transactions and creating a more intuitive method of displaying secure sites to Internet users.
 
 
 <> <>BR 1.1    <>OVERVIEW
 
This CP describes an integrated set of technologies, protocols, identity-proofing, lifecycle management, and auditing requirements that are necessary (but not sufficient) for the issuance and management of Publicly-Trusted Certificates; Certificates that are trusted by virtue of the fact that their corresponding Root Certificate is distributed in widely-available application software.  The requirements are not mandatory for Certification Authorities unless and until they become adopted and enforced by relying–party Application Software Suppliers.  
 
Notice to Readers
 
The CP for the Issuance and Management of Publicly-Trusted Certificates describe a subset of the requirements that a Certification Authority must meet in order to issue Publicly Trusted Certificates.  This document serves two purposes:  to specify Baseline Requirements and to provide guidance and requirements for what a CA should include in its CPS.  Except where explicitly stated otherwise, these Requirements apply only to relevant events that occur on or after the Effective Date.
 
These Requirements do not address all of the issues relevant to the issuance and management of Publicly-Trusted Certificates.  In accordance with RFC 3647 and to facilitate a comparison of other certificate policies and CPSs (e.g. for policy mapping), this CP includes all sections of the RFC 3647 framework.  However, rather than beginning with a “no stipulation” comment in all empty sections, the CA/Browser Forum is leaving such sections initially blank until a decision of “no stipulation” is made.  The CA/Browser Forum may update these Requirements from time to time, in order to address both existing and emerging threats to online security.  In particular, it is expected that a future version will contain more formal and comprehensive audit requirements for delegated functions.
 
These Requirements only address Certificates intended to be used for authenticating servers accessible through the Internet.  Similar requirements for code signing, S/MIME, time-stamping, VoIP, IM, Web services, etc. may be covered in future versions.
 
These Requirements do not address the issuance, or management of Certificates by enterprises that operate their own Public Key Infrastructure for internal purposes only, and for which the Root Certificate is not distributed by any Application Software Supplier.
 
These Requirements are applicable to all Certification Authorities within a chain of trust. They are to be flowed down from the Root Certification Authority through successive Subordinate Certification Authorities.

 

 
 

_______________________________________________
Govreform mailing list
Govreform at cabforum.org <mailto:Govreform at cabforum.org>
https://cabforum.org/mailman/listinfo/govreform <https://cabforum.org/mailman/listinfo/govreform>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/govreform/attachments/20170814/5786dfa0/attachment-0001.html>

More information about the Govreform mailing list