[cabf_governance] [EXTERNAL]Re: Two topics for next Governance Change WG meeting

Kirk Hall Kirk.Hall at entrustdatacard.com
Fri Aug 31 13:55:35 MST 2018


The SCWG Charter already sets a membership requirement for the audits we are discussing – see text below.  Why do we also need to repeat that in Bylaw 2.1 for Forum membership?

 

Seems the easiest fix is just to change Bylaw 2.1(a) to say “All members of Working Groups created under Bylaw 5.3 shall automatically be members of the Forum.”  That would work no matter what audits are required by future WGs.

 

 

[SCWG] Members eligible to participate: The Working Group shall consist of two classes of voting members, the

Certificate Issuers and the Certificate Consumers. The CA Class shall consist of eligible Certificate Issuers and

Root Certificate Issuers meeting the following criteria:

(1) Certificate Issuer: The member organization operates a certification authority that has a current and

successful WebTrust for CAs audit, or ETSI TS 102042, ETSI 101456, or ETSI EN 319 411-1 audit report prepared

by a properly-qualified auditor, and that actively issues certificates to Web servers that are openly accessible

from the Internet, such certificates being treated as valid when using a browser created by a Certificate

Consumer Member. Applicants that are not actively issuing certificates but otherwise meet membership criteria

may be granted Associate Member status under Bylaw Sec. 3.1 for a period of time to be designated by the

Forum.

(2) Root Certificate Issuer: The member organization operates a certification authority that has a current

and successful WebTrust for CAs, or ETSI TS 102042, ETSI TS 101456, ETSI EN 319 411-1 audit report prepared by

a properly-qualified auditor, and that actively issues certificates to subordinate CAs that, in turn, actively issue

certificates to Web servers that are openly accessible from the Internet, such certificates being treated as valid

when using a browser created by a Certificate Consumer Member. Applicants that are not actively issuing

certificates but otherwise meet membership criteria may be granted Associate Member status under Bylaw Sec.

3.1 for a period of time to be designated by the Forum.

(3) A Certificate Consumer can participate in this Working Group if it produces a software product intended

for use by the general public for browsing the Web securely.

The Working Group shall include Interested Parties and Associate Members as defined in the Bylaws.

From: Jos Purvis (jopurvis) [mailto:jopurvis at cisco.com] 
Sent: Friday, August 31, 2018 12:49 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com>; CA/Browser Forum Governance WG List <govreform at cabforum.org>; Kirk Hall <Kirk.Hall at entrustdatacard.com>; Dimitris Zacharopoulos <jimmy at it.auth.gr>; Virginia Fournier <vfournier at apple.com>
Subject: Re: [cabf_governance] [EXTERNAL]Re: Two topics for next Governance Change WG meeting

 

I don’t know that we’d even have to expand things unless some new class of audit became available. Currently, the requirement is a valid WebTrust for CAs audit (not the SSL Baseline audit, a plain-vanilla WebTrust) or its ETSI equivalent which, as Dimitris points out, is a flexible enough audit standard to apply to just about any kind of certificate producer. We have WebTrust audits around a couple of our device identity CAs producing IEEE 802.13AR SUDI certs, so it’s a pretty flexible standard. I would also say that—especially with the latest update and with a good auditor—it’s a good baseline for the professional operation of any sort of CA, so it makes a reasonable prerequisite for overall Forum membership.

 

Beyond that, the Forum rules require that the CA’s certificates be considered valid “by a Certificate Consumer Member”, which is where we might run into a bit of an issue with new, odd certificate types. If we wanted to stand up a working group for a new type of cert not currently handled by any of the current Certificate Consumer Members, we would need to add at least one Certificate Consumer Member to the new working group first, or else no one who wasn’t already a member for something else could join. That’s a pretty specific error case though, so I think we’d be OK to continue with the current rules as they stand.

 

            --Jos

 

 

-- 
Jos Purvis (jopurvis at cisco.com <mailto:jopurvis at cisco.com> )
.:|:.:|:. cisco systems  | Cryptographic Services
PGP: 0xFD802FEE07D19105  | +1 919.991.9114 (desk)

 

 

From: Govreform <govreform-bounces at cabforum.org <mailto:govreform-bounces at cabforum.org> > on behalf of CA/BF Governance Reform List <govreform at cabforum.org <mailto:govreform at cabforum.org> >
Reply-To: Tim Hollebeek <tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com> >, CA/BF Governance Reform List <govreform at cabforum.org <mailto:govreform at cabforum.org> >
Date: Friday, 31 August, 2018 at 15:14 
To: Kirk Hall <Kirk.Hall at entrustdatacard.com <mailto:Kirk.Hall at entrustdatacard.com> >, Dimitris Zacharopoulos <jimmy at it.auth.gr <mailto:jimmy at it.auth.gr> >, CA/BF Governance Reform List <govreform at cabforum.org <mailto:govreform at cabforum.org> >, Virginia Fournier <vfournier at apple.com <mailto:vfournier at apple.com> >
Subject: Re: [cabf_governance] [EXTERNAL]Re: Two topics for next Governance Change WG meeting

 

Well, the Forum membership being the union of the Working Group memberships was certainly the intent from the very beginning of the governance reform effort, so we should probably try to preserve that when creating new WGs.

 

I think it’s more likely that the list of acceptable audits will expand, rather than having WGs that allow unaudited CAs.  For example, I don’t have a hard time imagining adding “WebTrust for S/MIME” as an acceptable audit standard at the forum level, if it existed and we were adding a S/MIME WG that required it for Certificate Issuers.  Also, WebTrust audits are sometimes relied upon for non-TLS stuff, just because of the lack of alternative mature audit schemes.  So a non-TLS WG might very well require WebTrust or equivalent for its Certificate Issuers.

 

It’s also possible to change the Forum level audits to be generic CA/TSP audits, with audits for more specific use cases required for membership in various WGs (this would require fewer Bylaw changes as WGs are added).  I believe the ETSI audit standards are already set up to support such a scheme.

 

-Tim

 

From: Kirk Hall <Kirk.Hall at entrustdatacard.com <mailto:Kirk.Hall at entrustdatacard.com> > 
Sent: Friday, August 31, 2018 6:09 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com> >; Dimitris Zacharopoulos <jimmy at it.auth.gr <mailto:jimmy at it.auth.gr> >; CA/Browser Forum Governance WG List <govreform at cabforum.org <mailto:govreform at cabforum.org> >; Virginia Fournier <vfournier at apple.com <mailto:vfournier at apple.com> >
Subject: RE: [cabf_governance] [EXTERNAL]Re: Two topics for next Governance Change WG meeting

 

In the end, I’m happy to wait until we create new WGs to see if we need to make changes to the Bylaws on who is a member of the Forum.  

 

If it turns out that 100% of cert issuing parties who join the new WGs must have the WebTrust and ETSI audits listed in Bylaw 2.1, then I guess there is no problem – but I’m not convinced that will be the case.  And I have heard several people say that “everyone who is on a WG will automatically be a member of the Forum”, and I’m not convinced that will be the case.  If there is a WG that does NOT require the listed WebTrust and ETSI audits, then the Cert Issuers and Cert Consumers on that WG will not be eligible to be members of the Forum or vote on Forum matters.

 

But we can wait to see. 

 

From: Tim Hollebeek [mailto:tim.hollebeek at digicert.com] 
Sent: Friday, August 31, 2018 2:06 AM
To: Dimitris Zacharopoulos <jimmy at it.auth.gr <mailto:jimmy at it.auth.gr> >; CA/Browser Forum Governance WG List <govreform at cabforum.org <mailto:govreform at cabforum.org> >; Virginia Fournier <vfournier at apple.com <mailto:vfournier at apple.com> >; Kirk Hall <Kirk.Hall at entrustdatacard.com <mailto:Kirk.Hall at entrustdatacard.com> >
Subject: RE: [cabf_governance] [EXTERNAL]Re: Two topics for next Governance Change WG meeting

 

I agree with Dimitris.  The requirement to have an audit in order to be a Certificate Issuer was intentional, and WebTrust/ETSI are the audits that we currently recognize.  We discussed that issue several times during the governance reform process.

 

Whether a Certificate Issuer issues TLS certificates or not is not relevant at the Forum level.  I really wish that people who didn’t participate in the Governance Reform working group wouldn’t keep suggesting novel interpretations of the Bylaws that have no basis in the text of the Bylaws.

 

A CA that has a WebTrust or ETSI audit, and participates in a future hypothetical CWG, but does not issue TLS certificates, is clearly a Certificate Issuer at the Forum level with current Bylaws, since the Bylaws only reference issuing end-entity certificates, not TLS certificates.

 

-Tim

 

From: Govreform <govreform-bounces at cabforum.org <mailto:govreform-bounces at cabforum.org> > On Behalf Of Dimitris Zacharopoulos via Govreform
Sent: Friday, August 31, 2018 9:50 AM
To: Virginia Fournier <vfournier at apple.com <mailto:vfournier at apple.com> >; CA/Browser Forum Governance WG List <govreform at cabforum.org <mailto:govreform at cabforum.org> >; Kirk Hall <Kirk.Hall at entrustdatacard.com <mailto:Kirk.Hall at entrustdatacard.com> >
Subject: Re: [cabf_governance] [EXTERNAL]Re: Two topics for next Governance Change WG meeting

 

On 31/8/2018 2:25 πμ, Virginia Fournier via Govreform wrote:

This will need more discussion.  We’ll need everyone to be members at the Forum (not SCWG) level so they’ll be bound by the Bylaws, IPR Policy, etc. 

 

 

Best regards,

 

Virginia Fournier

Senior Standards Counsel

 Apple Inc.

☏ 669-227-9595

✉︎ vmf at apple.com <mailto:vmf at apple.com> 

 

 

 

On Aug 30, 2018, at 2:43 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com <mailto:Kirk.Hall at entrustdatacard.com> > wrote:

 

Virginia – our current Bylaws restrict certificate issuers to entities with WebTrust for CA or similar ETSI audits that issue certificates, and certificate consumers that rely on certificates.  Based on that working, I think only CAs that issue SSL/TLS server certificates (with WT or ETSI audits) and browsers that rely on SSL/TLS server certificates qualify.  We could have a new IoT Device Working Group, S/MIME Certificate Working Group, or other new WGs where the “CA” members don’t have WebTrust/ETSI audits, and their “browser” members may not require such audits.  So they wouldn’t be CABF Members under our current Bylaws.  I think we need a change in the Bylaws if the intention was that all WG members were automatically Forum members with a vote.


Kirk, this is not an entirely accurate description of ETSI or WT, as far as I understand.

The certifications called out in 2.1(a) are not limited to SSL/TLS server certificates. They may be used for "Certificate Issuers" that issue S/MIME, Code Signing, Digital Signature Certificates, Client Authentication and others. I don't think we need to make any amendments on the "Certificate Issuer" part, except for the improvement regarding the audit criteria versions that we've already discussed and is pending to enter a ballot.

The description of "Certificate Consumers" is also inclusive for non-browser members, as long as they produce a software product intended for use by the general public for relying upon certificates. The only controversial spot that might be worth discussing is 2.2(a)- items 2 and 3: 

"A Certificate Consumer Member's membership will automatically cease if any of the following become true:

1.	it is not a member of any CWG;
2.	it stops providing updates for its membership-qualifying software product;
3.	six months have elapsed since the last such published update."

There might be Certificate Consumers in certain business areas that don't update their software product every six months.


Dimitris.

 

From: vfournier at apple.com <mailto:vfournier at apple.com>  [mailto:vfournier at apple.com] 
Sent: Thursday, August 30, 2018 11:55 AM
To: Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> >; Kirk Hall <Kirk.Hall at entrustdatacard.com <mailto:Kirk.Hall at entrustdatacard.com> >
Cc: CA/Browser Forum Governance WG List <govreform at cabforum.org <mailto:govreform at cabforum.org> >
Subject: [EXTERNAL]Re: [cabf_governance] Two topics for next Governance Change WG meeting

 

 

On Aug 30, 2018, at 7:28 AM, Ryan Sleevi via Govreform < <mailto:govreform at cabforum.org> govreform at cabforum.org> wrote:

 

 

On Thu, Aug 30, 2018 at 9:36 AM Kirk Hall via Govreform < <mailto:govreform at cabforum.org> govreform at cabforum.org> wrote:

Here are two issues for the Governance WG to discuss:

 

1. Move forward with Ballot Forum-2 – extending terms of CABF Chair and Vice Chair

 

2.  Consider revising Bylaw 2.1 (Forum Membership requirements) and Bylaw 2.3(f) (voting rules).  As I understand it, the intent was that ALL members of ALL new Working Groups would automatically be Members of the Forum, and ALL would have an equal vote on votes at the Forum level.  Is that correct?

 

I don't believe so.

 

VMF:  All members of all WGs will also be members of the Forum.  There was no intent to change the voting structure.  There are still the Certificate Issuers/Certificate Consumers categories, with the same approval thresholds.

 

That’s not how Bylaws 2.1 and 2.3 read – they only allow CAs and Browsers to be Forum members, and they still show voting at the Forum level limited to CAs and Browsers (2/3 vote, 51% vote).  We did move these same rules to the SCWG level – that makes sense – but if we create new WGs with non-CA/non-browser members, they won’t be able to participate at the Forum level.

 

Well, browsers, mail clients, other certificate consumers. It's a broader category than just the SCWG's notion of browser.

 

VMF:  Each WG can set its own voting rules in its charter.  This in no way affects the voting structure at the Forum level.  

 

 

So we should (a) change those Bylaws at the Forum level (“any Member of a WG is automatically a Member of the Forum, and all votes equal at the Forum level), and also (b) add the current voting rules to the SCWG charter (there are no voting rules there).

VMF:  No, this is not what was intended.

 

******

 

Bylaw 2.1 Qualifying for Forum Membership

(a) All Forum members must participate in at least one CWG (as defined in Section 5.3.1 below), and meet at least one of the following criteria:

(1) Certificate Issuer: The member organization operates a certification authority that has a current and successful WebTrust for CAs audit or ETSI EN 319 411-1 or ETSI TS 102 042 or ETSI TS 101 456 audit report prepared by a properly-qualified auditor, is a member of a CWG, and that actively issues certificates to end entities, such certificates being treated as valid by a Certificate Consumer Member. Applicants that are not actively issuing certificates but otherwise meet membership criteria may be granted Associate Member status under Bylaw Sec. 3.1 for a period of time to be designated by the Forum.

(2) Root Certificate Issuer: The member organization operates a certification authority that has a current and successful WebTrust for CAs, or ETSI EN 319 411-1102042 or ETSI TS 102

042 or ETSI TS 101 456 audit report prepared by a properly-qualified auditor, is a member of a CWG, and that issues certificates to subordinate CAs that, in turn, actively issue certificates to end entities such certificates being treated as valid by a Certificate Consumer Member. Applicants that are not actively issuing certificates but otherwise meet membership criteria may be granted Associate Member status under Bylaw Section 3.1 for a period of time to be designated by the Forum.

(3) Certificate Consumer: The member organization produces a software product, such as a browser, intended for use by the general public for relying upon certificates and is a member of a CWG.

 

2.3 General Provisions Applicable to all Ballots

The following rules will apply to all ballots, including Draft Guideline Ballots (defined in Section 2.4).

 

(f) Members fall into two categories: Certificate Issuers (including Certificate Issuers and Root

Certificate Issuers), as defined in Section 2.1(a)(1) and (2) and Certificate Consumers (as

defined in Section 2.1(a)(3)). In order for a ballot to be adopted by the Forum, two-thirds or more

of the votes cast by the Members in the Certificate Issuer category must be in favor of the ballot,

and at least 50% plus one of the votes cast by the Members in the Certificate Consumer

category must be in favor of the ballot. At least one Member in each category must vote in favor

of a ballot for the ballot to be adopted.

_______________________________________________
Govreform mailing list
 <mailto:Govreform at cabforum.org> Govreform at cabforum.org
https://cabforum.org/mailman/listinfo/govreform

_______________________________________________
Govreform mailing list
 <mailto:Govreform at cabforum.org> Govreform at cabforum.org
https://cabforum.org/mailman/listinfo/govreform





_______________________________________________
Govreform mailing list
Govreform at cabforum.org <mailto:Govreform at cabforum.org> 
https://cabforum.org/mailman/listinfo/govreform

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/govreform/attachments/20180831/8e93d9bd/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5887 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/govreform/attachments/20180831/8e93d9bd/attachment-0001.p7s>


More information about the Govreform mailing list