[cabf_governance] [EXTERNAL]Re: Two topics for next Governance Change WG meeting
Ryan Sleevi
sleevi at google.com
Fri Aug 31 13:58:40 MST 2018
Could you help me understand what problem you're trying to solve?
Isn't this best, and more meaningfully, addressed if and only if it becomes
an issue, with the broader discussion of the Forum?
Consider, for example, the Forum approving the creation of a WG with
membership requirement X, and then that new WG decides to restructure
itself to be membership requirement Y.
Put more explicitly: I do not believe any such work is necessary at this
time, and this matter is best addressed only if and when it becomes an
issue.
On Fri, Aug 31, 2018 at 4:55 PM Kirk Hall via Govreform <
govreform at cabforum.org> wrote:
> The SCWG Charter already sets a membership requirement for the audits we
> are discussing – see text below. Why do we also need to repeat that in
> Bylaw 2.1 for Forum membership?
>
>
>
> Seems the easiest fix is just to change Bylaw 2.1(a) to say “All members
> of Working Groups created under Bylaw 5.3 shall automatically be members of
> the Forum.” That would work no matter what audits are required by future
> WGs.
>
>
>
>
>
> *[SCWG] Members eligible to participate*: The Working Group shall consist
> of two classes of voting members, the
>
> Certificate Issuers and the Certificate Consumers. The CA Class shall
> consist of eligible Certificate Issuers and
>
> Root Certificate Issuers meeting the following criteria:
>
> (1) Certificate Issuer: The member organization operates a certification
> authority that has a current and
>
> successful WebTrust for CAs audit, or ETSI TS 102042, ETSI 101456, or ETSI
> EN 319 411-1 audit report prepared
>
> by a properly-qualified auditor, and that actively issues certificates to
> Web servers that are openly accessible
>
> from the Internet, such certificates being treated as valid when using a
> browser created by a Certificate
>
> Consumer Member. Applicants that are not actively issuing certificates but
> otherwise meet membership criteria
>
> may be granted Associate Member status under Bylaw Sec. 3.1 for a period
> of time to be designated by the
>
> Forum.
>
> (2) Root Certificate Issuer: The member organization operates a
> certification authority that has a current
>
> and successful WebTrust for CAs, or ETSI TS 102042, ETSI TS 101456, ETSI
> EN 319 411-1 audit report prepared by
>
> a properly-qualified auditor, and that actively issues certificates to
> subordinate CAs that, in turn, actively issue
>
> certificates to Web servers that are openly accessible from the Internet,
> such certificates being treated as valid
>
> when using a browser created by a Certificate Consumer Member. Applicants
> that are not actively issuing
>
> certificates but otherwise meet membership criteria may be granted
> Associate Member status under Bylaw Sec.
>
> 3.1 for a period of time to be designated by the Forum.
>
> (3) A Certificate Consumer can participate in this Working Group if it
> produces a software product intended
>
> for use by the general public for browsing the Web securely.
>
> The Working Group shall include Interested Parties and Associate Members
> as defined in the Bylaws.
>
> *From:* Jos Purvis (jopurvis) [mailto:jopurvis at cisco.com]
> *Sent:* Friday, August 31, 2018 12:49 PM
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com>; CA/Browser Forum
> Governance WG List <govreform at cabforum.org>; Kirk Hall <
> Kirk.Hall at entrustdatacard.com>; Dimitris Zacharopoulos <jimmy at it.auth.gr>;
> Virginia Fournier <vfournier at apple.com>
> *Subject:* Re: [cabf_governance] [EXTERNAL]Re: Two topics for next
> Governance Change WG meeting
>
>
>
> I don’t know that we’d even have to expand things unless some new class of
> audit became available. Currently, the requirement is a valid WebTrust for
> CAs audit (not the SSL Baseline audit, a plain-vanilla WebTrust) or its
> ETSI equivalent which, as Dimitris points out, is a flexible enough audit
> standard to apply to just about any kind of certificate producer. We have
> WebTrust audits around a couple of our device identity CAs producing IEEE
> 802.13AR SUDI certs, so it’s a pretty flexible standard. I would also say
> that—especially with the latest update and with a good auditor—it’s a good
> baseline for the professional operation of any sort of CA, so it makes a
> reasonable prerequisite for overall Forum membership.
>
>
>
> Beyond that, the Forum rules require that the CA’s certificates be
> considered valid “by a Certificate Consumer Member”, which is where we
> might run into a bit of an issue with new, odd certificate types. If we
> wanted to stand up a working group for a new type of cert not currently
> handled by any of the current Certificate Consumer Members, we would need
> to add at least one Certificate Consumer Member to the new working group
> first, or else no one who wasn’t already a member for something else could
> join. That’s a pretty specific error case though, so I think we’d be OK to
> continue with the current rules as they stand.
>
>
>
> --Jos
>
>
>
>
>
> --
> Jos Purvis (jopurvis at cisco.com)
> .:|:.:|:. cisco systems | Cryptographic Services
> PGP: 0xFD802FEE07D19105 | +1 919.991.9114 (desk)
>
>
>
>
>
> *From: *Govreform <govreform-bounces at cabforum.org> on behalf of CA/BF
> Governance Reform List <govreform at cabforum.org>
> *Reply-To: *Tim Hollebeek <tim.hollebeek at digicert.com>, CA/BF Governance
> Reform List <govreform at cabforum.org>
> *Date: *Friday, 31 August, 2018 at 15:14
> *To: *Kirk Hall <Kirk.Hall at entrustdatacard.com>, Dimitris Zacharopoulos <
> jimmy at it.auth.gr>, CA/BF Governance Reform List <govreform at cabforum.org>,
> Virginia Fournier <vfournier at apple.com>
> *Subject: *Re: [cabf_governance] [EXTERNAL]Re: Two topics for next
> Governance Change WG meeting
>
>
>
> Well, the Forum membership being the union of the Working Group
> memberships was certainly the intent from the very beginning of the
> governance reform effort, so we should probably try to preserve that when
> creating new WGs.
>
>
>
> I think it’s more likely that the list of acceptable audits will expand,
> rather than having WGs that allow unaudited CAs. For example, I don’t have
> a hard time imagining adding “WebTrust for S/MIME” as an acceptable audit
> standard at the forum level, if it existed and we were adding a S/MIME WG
> that required it for Certificate Issuers. Also, WebTrust audits are
> sometimes relied upon for non-TLS stuff, just because of the lack of
> alternative mature audit schemes. So a non-TLS WG might very well require
> WebTrust or equivalent for its Certificate Issuers.
>
>
>
> It’s also possible to change the Forum level audits to be generic CA/TSP
> audits, with audits for more specific use cases required for membership in
> various WGs (this would require fewer Bylaw changes as WGs are added). I
> believe the ETSI audit standards are already set up to support such a
> scheme.
>
>
>
> -Tim
>
>
>
> *From:* Kirk Hall <Kirk.Hall at entrustdatacard.com>
> *Sent:* Friday, August 31, 2018 6:09 PM
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com>; Dimitris Zacharopoulos <
> jimmy at it.auth.gr>; CA/Browser Forum Governance WG List <
> govreform at cabforum.org>; Virginia Fournier <vfournier at apple.com>
> *Subject:* RE: [cabf_governance] [EXTERNAL]Re: Two topics for next
> Governance Change WG meeting
>
>
>
> In the end, I’m happy to wait until we create new WGs to see if we need to
> make changes to the Bylaws on who is a member of the Forum.
>
>
>
> If it turns out that 100% of cert issuing parties who join the new WGs
> must have the WebTrust and ETSI audits listed in Bylaw 2.1, then I guess
> there is no problem – but I’m not convinced that will be the case. And I
> have heard several people say that “everyone who is on a WG will
> automatically be a member of the Forum”, and I’m not convinced that will be
> the case. If there is a WG that does NOT require the listed WebTrust and
> ETSI audits, then the Cert Issuers and Cert Consumers on that WG will not
> be eligible to be members of the Forum or vote on Forum matters.
>
>
>
> But we can wait to see.
>
>
>
> *From:* Tim Hollebeek [mailto:tim.hollebeek at digicert.com
> <tim.hollebeek at digicert.com>]
> *Sent:* Friday, August 31, 2018 2:06 AM
> *To:* Dimitris Zacharopoulos <jimmy at it.auth.gr>; CA/Browser Forum
> Governance WG List <govreform at cabforum.org>; Virginia Fournier <
> vfournier at apple.com>; Kirk Hall <Kirk.Hall at entrustdatacard.com>
> *Subject:* RE: [cabf_governance] [EXTERNAL]Re: Two topics for next
> Governance Change WG meeting
>
>
>
> I agree with Dimitris. The requirement to have an audit in order to be a
> Certificate Issuer was intentional, and WebTrust/ETSI are the audits that
> we currently recognize. We discussed that issue several times during the
> governance reform process.
>
>
>
> Whether a Certificate Issuer issues TLS certificates or not is not
> relevant at the Forum level. I really wish that people who didn’t
> participate in the Governance Reform working group wouldn’t keep suggesting
> novel interpretations of the Bylaws that have no basis in the text of the
> Bylaws.
>
>
>
> A CA that has a WebTrust or ETSI audit, and participates in a future
> hypothetical CWG, but does not issue TLS certificates, is clearly a
> Certificate Issuer at the Forum level with current Bylaws, since the Bylaws
> only reference issuing end-entity certificates, not TLS certificates.
>
>
>
> -Tim
>
>
>
> *From:* Govreform <govreform-bounces at cabforum.org> *On Behalf Of *Dimitris
> Zacharopoulos via Govreform
> *Sent:* Friday, August 31, 2018 9:50 AM
> *To:* Virginia Fournier <vfournier at apple.com>; CA/Browser Forum
> Governance WG List <govreform at cabforum.org>; Kirk Hall <
> Kirk.Hall at entrustdatacard.com>
> *Subject:* Re: [cabf_governance] [EXTERNAL]Re: Two topics for next
> Governance Change WG meeting
>
>
>
> On 31/8/2018 2:25 πμ, Virginia Fournier via Govreform wrote:
>
> This will need more discussion. We’ll need everyone to be members at the
> Forum (not SCWG) level so they’ll be bound by the Bylaws, IPR Policy, etc.
>
>
>
>
>
> Best regards,
>
>
>
> Virginia Fournier
>
> Senior Standards Counsel
>
> Apple Inc.
>
> ☏ 669-227-9595
>
> ✉︎ vmf at apple.com
>
>
>
>
>
>
>
> On Aug 30, 2018, at 2:43 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com>
> wrote:
>
>
>
> Virginia – our current Bylaws restrict certificate issuers to entities
> with WebTrust for CA or similar ETSI audits that issue certificates, and
> certificate consumers that rely on certificates. Based on that working, I
> think only CAs that issue SSL/TLS server certificates (with WT or ETSI
> audits) and browsers that rely on SSL/TLS server certificates qualify. We
> could have a new IoT Device Working Group, S/MIME Certificate Working
> Group, or other new WGs where the “CA” members don’t have WebTrust/ETSI
> audits, and their “browser” members may not require such audits. So they
> wouldn’t be CABF Members under our current Bylaws. I think we need a
> change in the Bylaws if the intention was that all WG members were
> automatically Forum members with a vote.
>
>
> Kirk, this is not an entirely accurate description of ETSI or WT, as far
> as I understand.
>
> The certifications called out in 2.1(a) are not limited to SSL/TLS server
> certificates. They may be used for "Certificate Issuers" that issue S/MIME,
> Code Signing, Digital Signature Certificates, Client Authentication and
> others. I don't think we need to make any amendments on the "Certificate
> Issuer" part, except for the improvement regarding the audit criteria
> versions that we've already discussed and is pending to enter a ballot.
>
> The description of "Certificate Consumers" is also inclusive for
> non-browser members, as long as they produce a software product intended
> for use by the general public for relying upon certificates. The only
> controversial spot that might be worth discussing is 2.2(a)- items 2 and 3:
>
> "A Certificate Consumer Member's membership will automatically cease if
> any of the following become true:
>
> 1. it is not a member of any CWG;
> 2. it stops providing updates for its membership-qualifying software
> product;
> 3. six months have elapsed since the last such published update."
>
> There might be Certificate Consumers in certain business areas that don't
> update their software product every six months.
>
>
> Dimitris.
>
>
>
> *From:* vfournier at apple.com [mailto:vfournier at apple.com
> <vfournier at apple.com>]
> *Sent:* Thursday, August 30, 2018 11:55 AM
> *To:* Ryan Sleevi <sleevi at google.com>; Kirk Hall <
> Kirk.Hall at entrustdatacard.com>
> *Cc:* CA/Browser Forum Governance WG List <govreform at cabforum.org>
> *Subject:* [EXTERNAL]Re: [cabf_governance] Two topics for next Governance
> Change WG meeting
>
>
>
>
>
> On Aug 30, 2018, at 7:28 AM, Ryan Sleevi via Govreform <
> govreform at cabforum.org> wrote:
>
>
>
>
>
> On Thu, Aug 30, 2018 at 9:36 AM Kirk Hall via Govreform <
> govreform at cabforum.org> wrote:
>
> Here are two issues for the Governance WG to discuss:
>
>
>
> 1. Move forward with Ballot Forum-2 – extending terms of CABF Chair and
> Vice Chair
>
>
>
> 2. Consider revising Bylaw 2.1 (Forum Membership requirements) and Bylaw
> 2.3(f) (voting rules). As I understand it, the intent was that ALL members
> of ALL new Working Groups would automatically be Members of the Forum, and
> ALL would have an equal vote on votes at the Forum level. Is that correct?
>
>
>
> I don't believe so.
>
>
>
> VMF: All members of all WGs will also be members of the Forum. There was
> no intent to change the voting structure. There are still the Certificate
> Issuers/Certificate Consumers categories, with the same approval thresholds.
>
>
>
> That’s not how Bylaws 2.1 and 2.3 read – they only allow CAs and Browsers
> to be Forum members, and they still show voting at the Forum level limited
> to CAs and Browsers (2/3 vote, 51% vote). We did move these same rules to
> the SCWG level – that makes sense – but if we create new WGs with
> non-CA/non-browser members, they won’t be able to participate at the Forum
> level.
>
>
>
> Well, browsers, mail clients, other certificate consumers. It's a broader
> category than just the SCWG's notion of browser.
>
>
>
> VMF: Each WG can set its own voting rules in its charter. This in no way
> affects the voting structure at the Forum level.
>
>
>
>
>
> So we should (a) change those Bylaws at the Forum level (“any Member of a
> WG is automatically a Member of the Forum, and all votes equal at the Forum
> level), and also (b) add the current voting rules to the SCWG charter
> (there are no voting rules there).
>
> VMF: No, this is not what was intended.
>
>
>
> ******
>
>
>
> *Bylaw 2.1 Qualifying for Forum Membership*
>
> (a) All Forum members must participate in at least one CWG (as defined in
> Section 5.3.1 below), and meet at least one of the following criteria:
>
> (1) Certificate Issuer: The member organization operates a certification
> authority that has a current and successful WebTrust for CAs audit or ETSI
> EN 319 411-1 or ETSI TS 102 042 or ETSI TS 101 456 audit report prepared by
> a properly-qualified auditor, is a member of a CWG, and that actively
> issues certificates to end entities, such certificates being treated as
> valid by a Certificate Consumer Member. Applicants that are not actively
> issuing certificates but otherwise meet membership criteria may be granted
> Associate Member status under Bylaw Sec. 3.1 for a period of time to be
> designated by the Forum.
>
> (2) Root Certificate Issuer: The member organization operates a
> certification authority that has a current and successful WebTrust for CAs,
> or ETSI EN 319 411-1102042 or ETSI TS 102
>
> 042 or ETSI TS 101 456 audit report prepared by a properly-qualified
> auditor, is a member of a CWG, and that issues certificates to subordinate
> CAs that, in turn, actively issue certificates to end entities such
> certificates being treated as valid by a Certificate Consumer Member.
> Applicants that are not actively issuing certificates but otherwise meet
> membership criteria may be granted Associate Member status under Bylaw
> Section 3.1 for a period of time to be designated by the Forum.
>
> (3) Certificate Consumer: The member organization produces a software
> product, such as a browser, intended for use by the general public for
> relying upon certificates and is a member of a CWG.
>
>
>
> *2.3 General Provisions Applicable to all Ballots*
>
> The following rules will apply to all ballots, including Draft Guideline
> Ballots (defined in Section 2.4).
>
>
>
> (f) Members fall into two categories: Certificate Issuers (including
> Certificate Issuers and Root
>
> Certificate Issuers), as defined in Section 2.1(a)(1) and (2) and
> Certificate Consumers (as
>
> defined in Section 2.1(a)(3)). In order for a ballot to be adopted by the
> Forum, two-thirds or more
>
> of the votes cast by the Members in the Certificate Issuer category must
> be in favor of the ballot,
>
> and at least 50% plus one of the votes cast by the Members in the
> Certificate Consumer
>
> category must be in favor of the ballot. At least one Member in each
> category must vote in favor
>
> of a ballot for the ballot to be adopted.
>
> _______________________________________________
> Govreform mailing list
> Govreform at cabforum.org
> https://cabforum.org/mailman/listinfo/govreform
> <https://clicktime.symantec.com/a/1/x2V14vuxFf4U7afxkxUhdqk6zCYihKtAb2LImiO7Lw4=?d=xcgyyC14mSAlpRAdUB9NsOuH2PTXiCGfTiHSiCboWdPHa2gAKxkZOehcQbStpmZJz_xtP5SxNskhgBdaSNGhSWVi5excxGAL4jwwfIBjixLRcC1OQXYmGVtNELrK4HWK5y0RpZqAQL2KrFAFkckoh4pE6z3Tg8oVY_a1faZaiuoIU1CD-ZOrdQq7DqMViTiuNsH8nMidcL773oXLue-VvC73Egi9bYdrnTzbaS7fyp0KaNQivjCL4tmsqjO6FK8ANNE31iQz7Ukew4Wjpcx4dJv63pI4iXt1eQ8LapjhBtPqAOxptas5uqbAFTJYljPLSnzGJuzSiZkwCy5VxkeHakjHcD6dcJiFgDhpt-NLhTjq8eSK7mJiTiPb8goYcIojOprRZNl6ZcRa8YfDl_DMrAFnJNfIAMUxVY9Du0WLy6E21hdYiNqrBTsnNroegOpqZhe_G6DACB4%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fgovreform>
>
> _______________________________________________
> Govreform mailing list
> Govreform at cabforum.org
> https://cabforum.org/mailman/listinfo/govreform
> <https://clicktime.symantec.com/a/1/x2V14vuxFf4U7afxkxUhdqk6zCYihKtAb2LImiO7Lw4=?d=xcgyyC14mSAlpRAdUB9NsOuH2PTXiCGfTiHSiCboWdPHa2gAKxkZOehcQbStpmZJz_xtP5SxNskhgBdaSNGhSWVi5excxGAL4jwwfIBjixLRcC1OQXYmGVtNELrK4HWK5y0RpZqAQL2KrFAFkckoh4pE6z3Tg8oVY_a1faZaiuoIU1CD-ZOrdQq7DqMViTiuNsH8nMidcL773oXLue-VvC73Egi9bYdrnTzbaS7fyp0KaNQivjCL4tmsqjO6FK8ANNE31iQz7Ukew4Wjpcx4dJv63pI4iXt1eQ8LapjhBtPqAOxptas5uqbAFTJYljPLSnzGJuzSiZkwCy5VxkeHakjHcD6dcJiFgDhpt-NLhTjq8eSK7mJiTiPb8goYcIojOprRZNl6ZcRa8YfDl_DMrAFnJNfIAMUxVY9Du0WLy6E21hdYiNqrBTsnNroegOpqZhe_G6DACB4%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fgovreform>
>
>
>
> _______________________________________________
>
> Govreform mailing list
>
> Govreform at cabforum.org
>
> https://cabforum.org/mailman/listinfo/govreform <https://clicktime.symantec.com/a/1/x2V14vuxFf4U7afxkxUhdqk6zCYihKtAb2LImiO7Lw4=?d=xcgyyC14mSAlpRAdUB9NsOuH2PTXiCGfTiHSiCboWdPHa2gAKxkZOehcQbStpmZJz_xtP5SxNskhgBdaSNGhSWVi5excxGAL4jwwfIBjixLRcC1OQXYmGVtNELrK4HWK5y0RpZqAQL2KrFAFkckoh4pE6z3Tg8oVY_a1faZaiuoIU1CD-ZOrdQq7DqMViTiuNsH8nMidcL773oXLue-VvC73Egi9bYdrnTzbaS7fyp0KaNQivjCL4tmsqjO6FK8ANNE31iQz7Ukew4Wjpcx4dJv63pI4iXt1eQ8LapjhBtPqAOxptas5uqbAFTJYljPLSnzGJuzSiZkwCy5VxkeHakjHcD6dcJiFgDhpt-NLhTjq8eSK7mJiTiPb8goYcIojOprRZNl6ZcRa8YfDl_DMrAFnJNfIAMUxVY9Du0WLy6E21hdYiNqrBTsnNroegOpqZhe_G6DACB4%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fgovreform>
>
>
> _______________________________________________
> Govreform mailing list
> Govreform at cabforum.org
> https://cabforum.org/mailman/listinfo/govreform
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/govreform/attachments/20180831/b876ad58/attachment-0001.html>
More information about the Govreform
mailing list