[cabf_governance] Ballot 206 and documents

Dimitris Zacharopoulos jimmy at it.auth.gr
Tue Feb 6 12:01:26 MST 2018



On 6/2/2018 8:15 μμ, Dean Coclin wrote:
>
> Dimitris,
>
> We currently list ETSI 411-1. Why should we change to 401?
>

411-1 covers Baseline Requirements and Network Security Requirements,
which is equal to WebTrust for CAs Baseline and NetSec.
401 covers similar items as WebTrust for CAs.

Dimitris.

>
> Dean
>
>  
>
> *From:*Govreform [mailto:govreform-bounces at cabforum.org] *On Behalf Of
> *Dimitris Zacharopoulos via Govreform
> *Sent:* Tuesday, February 6, 2018 12:16 PM
> *To:* Virginia Fournier <vfournier at apple.com>
> *Cc:* CA/Browser Forum Governance WG List <govreform at cabforum.org>
> *Subject:* Re: [cabf_governance] Ballot 206 and documents
>
>  
>
>  
>
> On 6/2/2018 6:25 μμ, Virginia Fournier wrote:
>
>     Hi Dimitris,
>
>      
>
>     Would you please let us know what changes you’d propose to resolve
>     the issues you’ve mentioned below?  Your changes weren’t left out
>     intentionally - we probably just missed your request. Thanks.
>
>
> Certainly. I have attached a red-lined version of the proposed changes
> on the "CABF-Bylaws-v.1.8_23-Jan-2018.doc" file, to align the ETSI
> audit criteria with WebTrust. I also made a small reference correction
> to the "Certificate Consumer" definition.
>
> However, I couldn't provide an easy language fix for the requirement
> 2.1 a, and I hope the WG will be able to discuss on a future call. I
> will try to highlight the problem and propose some language to resolve
> the loop.
>
> Here are the current definitions:
>
> _(1) "Certificate Issuer_: The member organization operates a
> certification authority that has a current and successful WebTrust for
> CAs audit or ETSI EN 319 401 audit report prepared by a
> properly-qualified auditor, is a member of a Working Group, and that
> actively issues certificates to end entities, such certificates being
> treated as valid by a Certificate Consumer Member.  Applicants that
> are not actively issuing certificates but otherwise meet membership
> criteria may be granted Associate Member status under Bylaw Sec. 3.1
> for a period of time to be designated by the Forum"
>
> _(2) _"_Root Certificate Issuer_: The member organization operates a
> certification authority that has a current and successful WebTrust for
> CAs,or ETSI EN 319 401 audit report prepared by a properly-qualified
> auditor, is a member of a Working Group, and that issues certificates
> to subordinate CAs that, in turn, actively issue certificates to end
> entities such certificates being treated as valid by a Certificate
> Consumer Member.  Applicants that are not actively issuing
> certificates but otherwise meet membership criteria may be granted
> Associate Member status under Bylaw Sec. 3.1 for a period of time to
> be designated by the Forum. "
>
> _(3) _"_Certificate Consumer_: The member organization produces a
> software product, such as a browser, intended for use by the general
> public for relying upon certificates and is a member of a Working Group"
>
> First of all, since 2.1 talks about "qualifying for Forum Membership",
> which I understand to mean "Applicants", I propose we replace "member
> organization" to "applicant organization". In order to resolve the
> loop problem, perhaps the part of the "Certificate Consumer"
> definition that talks about software intended for use by the general
> public for relying upon certificates, should be included in the
> definitions of (1) and (2).
>
> Here is a suggestion for these definitions:
>
> _(1) "Certificate Issuer_: The applicant organization operates a
> certification authority that has a current and successful WebTrust for
> CAs audit or ETSI EN 319 401 audit report prepared by a
> properly-qualified auditor, is a member of a Working Group, and that
> actively issues certificates to end entities, such certificates being
> treated as valid by a software product, such as a browser, intended
> for use by the general public for relying upon certificates.
> Applicants that are not actively issuing certificates but otherwise
> meet membership criteria may be granted Associate Member status under
> Bylaw Sec. 3.1 for a period of time to be designated by the Forum"
>
> _(2) _"_Root Certificate Issuer_: The applicant organization operates
> a certification authority that has a current and successful WebTrust
> for CAs,or ETSI EN 319 401 audit report prepared by a
> properly-qualified auditor, is a member of a Working Group, and that
> issues certificates to subordinate CAs that, in turn, actively issue
> certificates to end entities such certificates being treated as valid
> by a software product, such as a browser, intended for use by the
> general public for relying upon certificates.Applicants that are not
> actively issuing certificates but otherwise meet membership criteria
> may be granted Associate Member status under Bylaw Sec. 3.1 for a
> period of time to be designated by the Forum. "
>
> _(3) _"_Certificate Consumer_: The applicant organization produces a
> software product, such as a browser, intended for use by the general
> public for relying upon certificates and is a member of a Working Group"
>
>
> Thank you,
> Dimitris.
>
>      
>
>     Virginia Fournier
>
>     Sent from my iPhone
>
>     Please excuse iTypos
>
>
>     On Feb 6, 2018, at 12:14 AM, Dimitris Zacharopoulos
>     <jimmy at it.auth.gr <mailto:jimmy at it.auth.gr>> wrote:
>
>
>         Hello all,
>
>         I reviewed the diffs and the proposed alignment between
>         WebTrust and ETSI is not included in the proposed Bylaws draft
>         (2.1a). I sent a proposal on Jan 9th
>         (https://cabforum.org/pipermail/govreform/2018-January/000355.html
>         <https://clicktime.symantec.com/a/1/xRJEOuXg-y_jlF4bPlvzPYNhn8a6eit8kncIq_wfMZ8=?d=zYU90j46QxTFNxAvlm_vJ4ZGqsTgwmt8yY9zvr0ptokxsxcxPTiHyfv81qHB08VOX3rrzZExOGgmgJkxIPZh2VDCB2-WrHv3HSXYZ8Wzk09rw2zFsyEvlFL13nhb7UzygerGhghF5qQl0uKJbkrgfHeL3_MxqGdnvlA7v_LK1cQLQhJS5vIh8quuXAU7PSSJvzKot7DAJo6bZDIRpzkFwNY2W9QBa2ODpEWTq9Pgug2qPyiezauI14B6fZZzXDwU0Ivj6KGS2Dy_1JXgXrsoUU_njc0WcH8N60MzLhzfYru_KK1QzFyolSRuA_TbFD0QG9P-7dp5mSt1H1BWsQ8OFAuLGgGHPbw9v12-oYSxeZkcV1l_eqlq15pTQI-hUSzH_gt5129IW5k-Txy56XOL79S-5w%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fpipermail%2Fgovreform%2F2018-January%2F000355.html>)
>         about the Server Certificate Working Group Charter but the
>         concept is the same for the Bylaws.
>
>           * If we include the requirement for "WebTrust for CAs"
>             audit, then the equivalent ETSI audit should be "*ETSI EN
>             319 401*". This probably fits best for the Bylaws.
>           * If we include the requirement for "WebTrust for CAs +
>             WebTrust Baseline + NetSec " audit, then the equivalent
>             ETSI audit should be "ETSI EN 319 411-1". This probably
>             fits best for the Server Certificate Working Group Charter.
>
>         The old ETSI TS standards should not be included in the new
>         bylaws.
>
>         I was also puzzled with the following requirement in the
>         Bylaws (section 2.1a) "such certificates being treated as
>         valid by a Certificate Consumer*Member*". So, if a CA issues
>         Certificates for Digital Signatures which are trusted by Adobe
>         and Adobe is not a Member of the Forum, then this CA doesn't
>         meet the requirements. Is this a correct interpretation?
>
>
>         Best regards,
>         Dimitris.
>
>
>         On 6/2/2018 9:15 πμ, Virginia Fournier via Govreform wrote:
>
>             Hi all,
>
>
>
>             My apologies, I have a conflict for tomorrow’s meeting and
>             will not be able to attend.  I am sending what I hope are
>             virtually final versions of the documents.  I am sending
>             diff files for the Bylaws and IPR policy, as the Word
>             compare function will not cooperate. The diffs may be
>             easier to read in the end anyway.
>
>
>
>             As you may have seen from my email earlier today, we have
>             to cut off any new issues, content, etc. from being added
>             to the ballot so we can finalize it.  From this point
>             forward, we need to just review what we have, clean up
>             typos or any errors in the ballot, and move it forward.
>              With this in mind, I’d appreciate it if you’d review the
>             documents attached/referenced below to see if there are
>             any corrections/adjustments that need to be made.  We can
>             keep a list of additional issues that should be addressed
>             for the next ballot.
>
>
>
>             What is the status of the Server Certificate WG charter?
>              I sent some comments to Dean/Ben - have you had
>             a chance to look at those?  We need the final version of
>             that document also to complete the package.
>
>
>
>             I’d like to send the documents out early next week and
>             start an “informal” discussion period of 7 days next for
>             any questions people may have.  Does anyone see any
>             obstacles to doing that?
>
>
>
>             Here’s the diff for the Bylaws (all changes since version
>             1.7 shown).
>
>
>
>             https://draftable.com/compare/JHYFfXWaHGRx
>             <https://clicktime.symantec.com/a/1/uyKpIpWVOanrzEuutNyKQlSALyoi3PkQHMormrBAvWs=?d=zYU90j46QxTFNxAvlm_vJ4ZGqsTgwmt8yY9zvr0ptokxsxcxPTiHyfv81qHB08VOX3rrzZExOGgmgJkxIPZh2VDCB2-WrHv3HSXYZ8Wzk09rw2zFsyEvlFL13nhb7UzygerGhghF5qQl0uKJbkrgfHeL3_MxqGdnvlA7v_LK1cQLQhJS5vIh8quuXAU7PSSJvzKot7DAJo6bZDIRpzkFwNY2W9QBa2ODpEWTq9Pgug2qPyiezauI14B6fZZzXDwU0Ivj6KGS2Dy_1JXgXrsoUU_njc0WcH8N60MzLhzfYru_KK1QzFyolSRuA_TbFD0QG9P-7dp5mSt1H1BWsQ8OFAuLGgGHPbw9v12-oYSxeZkcV1l_eqlq15pTQI-hUSzH_gt5129IW5k-Txy56XOL79S-5w%3D%3D&u=https%3A%2F%2Fdraftable.com%2Fcompare%2FJHYFfXWaHGRx>
>
>              
>
>             Here’s the diff for the IPR Policy (all changes since
>             version 1.2 shown:
>
>              
>
>             https://draftable.com/compare/QuHvYZiCAAUr
>             <https://clicktime.symantec.com/a/1/8q3XvGqohjM8pvFAj8n2TNaDAB0so_mrZcspY58oCLE=?d=zYU90j46QxTFNxAvlm_vJ4ZGqsTgwmt8yY9zvr0ptokxsxcxPTiHyfv81qHB08VOX3rrzZExOGgmgJkxIPZh2VDCB2-WrHv3HSXYZ8Wzk09rw2zFsyEvlFL13nhb7UzygerGhghF5qQl0uKJbkrgfHeL3_MxqGdnvlA7v_LK1cQLQhJS5vIh8quuXAU7PSSJvzKot7DAJo6bZDIRpzkFwNY2W9QBa2ODpEWTq9Pgug2qPyiezauI14B6fZZzXDwU0Ivj6KGS2Dy_1JXgXrsoUU_njc0WcH8N60MzLhzfYru_KK1QzFyolSRuA_TbFD0QG9P-7dp5mSt1H1BWsQ8OFAuLGgGHPbw9v12-oYSxeZkcV1l_eqlq15pTQI-hUSzH_gt5129IW5k-Txy56XOL79S-5w%3D%3D&u=https%3A%2F%2Fdraftable.com%2Fcompare%2FQuHvYZiCAAUr>
>
>              
>
>             =
>
>
>
>
>
>             Best regards,
>
>              
>
>             Virginia Fournier
>
>             Senior Standards Counsel
>
>              Apple Inc.
>
>             ☏669-227-9595
>
>             ✉︎ vmf at apple.com <mailto:vmf at apple.com>
>
>              
>
>              
>
>              
>
>              
>
>              
>
>             On Dec 21, 2017, at 11:19 AM, Virginia Fournier via
>             Govreform <govreform at cabforum.org
>             <mailto:govreform at cabforum.org>> wrote:
>
>              
>
>             Hello all,
>
>              
>
>             Here are the final documents for Ballot 206.  Please
>             confirm that you’re ready to go forward with them in
>             January after the holidays.  Please also let me know if
>             you can open the Bylaws diff file.  What is the status of
>             the Server Certificate WG’s charter?  Thanks for
>             everyone’s hard work on this project.
>
>              
>
>             <CABF_Ballot206_20DEC17.docx>
>
>             <CABF-IPR-Policy-v.1.3_20DEC17_clean.doc>
>
>             <CABF-IPR-Policy-v.1.3_20DEC17_redline.doc>
>
>             <CABF-Bylaws-v.1.8_20DEC17_clean.doc>
>
>             <CABF-Governance Change FAQ_20DEC17.docx>
>
>             <Bylaws DiffNow Comparison Report.htm>
>
>
>
>
>
>             Best regards,
>
>              
>
>             Virginia Fournier
>
>             Senior Standards Counsel
>
>              Apple Inc.
>
>             ☏669-227-9595
>
>             ✉︎ vmf at apple.com <mailto:vmf at apple.com>
>
>              
>
>              
>
>              
>
>              
>
>              
>
>             _______________________________________________
>             Govreform mailing list
>             Govreform at cabforum.org <mailto:Govreform at cabforum.org>
>             https://cabforum.org/mailman/listinfo/govreform
>             <https://clicktime.symantec.com/a/1/8rSOldnBKg8XvPcCi-8xhn3L1EZQhM_E6Wxoe2uL3ps=?d=zYU90j46QxTFNxAvlm_vJ4ZGqsTgwmt8yY9zvr0ptokxsxcxPTiHyfv81qHB08VOX3rrzZExOGgmgJkxIPZh2VDCB2-WrHv3HSXYZ8Wzk09rw2zFsyEvlFL13nhb7UzygerGhghF5qQl0uKJbkrgfHeL3_MxqGdnvlA7v_LK1cQLQhJS5vIh8quuXAU7PSSJvzKot7DAJo6bZDIRpzkFwNY2W9QBa2ODpEWTq9Pgug2qPyiezauI14B6fZZzXDwU0Ivj6KGS2Dy_1JXgXrsoUU_njc0WcH8N60MzLhzfYru_KK1QzFyolSRuA_TbFD0QG9P-7dp5mSt1H1BWsQ8OFAuLGgGHPbw9v12-oYSxeZkcV1l_eqlq15pTQI-hUSzH_gt5129IW5k-Txy56XOL79S-5w%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fgovreform>
>
>
>             =
>
>
>             _______________________________________________
>
>             Govreform mailing list
>
>             Govreform at cabforum.org <mailto:Govreform at cabforum.org>
>
>             https://cabforum.org/mailman/listinfo/govreform
>             <https://clicktime.symantec.com/a/1/8rSOldnBKg8XvPcCi-8xhn3L1EZQhM_E6Wxoe2uL3ps=?d=zYU90j46QxTFNxAvlm_vJ4ZGqsTgwmt8yY9zvr0ptokxsxcxPTiHyfv81qHB08VOX3rrzZExOGgmgJkxIPZh2VDCB2-WrHv3HSXYZ8Wzk09rw2zFsyEvlFL13nhb7UzygerGhghF5qQl0uKJbkrgfHeL3_MxqGdnvlA7v_LK1cQLQhJS5vIh8quuXAU7PSSJvzKot7DAJo6bZDIRpzkFwNY2W9QBa2ODpEWTq9Pgug2qPyiezauI14B6fZZzXDwU0Ivj6KGS2Dy_1JXgXrsoUU_njc0WcH8N60MzLhzfYru_KK1QzFyolSRuA_TbFD0QG9P-7dp5mSt1H1BWsQ8OFAuLGgGHPbw9v12-oYSxeZkcV1l_eqlq15pTQI-hUSzH_gt5129IW5k-Txy56XOL79S-5w%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fgovreform>
>
>          
>
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/govreform/attachments/20180206/21c6ea9e/attachment-0001.html>


More information about the Govreform mailing list