[cabf_governance] Ballot 206 and documents
Dimitris Zacharopoulos
jimmy at it.auth.gr
Tue Feb 6 12:09:50 MST 2018
On 6/2/2018 9:02 μμ, Dean Coclin wrote:
>
> I’m still confused. The requirements from browsers is 411-1.
>
But the new Bylaws are not only for Browsers :-)
The Server Certificates WG will require ETSI EN 319 411-1 BUT IT SHOULD
ALSO require not just WebTrust for CAs but also WebTrust for CAs
Baseline and NetSec.
Dimitris.
>
>
> *From:*Dimitris Zacharopoulos [mailto:jimmy at it.auth.gr]
> *Sent:* Tuesday, February 6, 2018 2:01 PM
> *To:* Dean Coclin <dean.coclin at digicert.com>; CA/Browser Forum
> Governance WG List <govreform at cabforum.org>
> *Subject:* Re: [cabf_governance] Ballot 206 and documents
>
>
>
>
>
> On 6/2/2018 8:15 μμ, Dean Coclin wrote:
>
> Dimitris,
>
> We currently list ETSI 411-1. Why should we change to 401?
>
>
> 411-1 covers Baseline Requirements and Network Security Requirements,
> which is equal to WebTrust for CAs Baseline and NetSec.
> 401 covers similar items as WebTrust for CAs.
>
> Dimitris.
>
>
>
> Dean
>
>
>
> *From:*Govreform [mailto:govreform-bounces at cabforum.org] *On
> Behalf Of *Dimitris Zacharopoulos via Govreform
> *Sent:* Tuesday, February 6, 2018 12:16 PM
> *To:* Virginia Fournier <vfournier at apple.com>
> <mailto:vfournier at apple.com>
> *Cc:* CA/Browser Forum Governance WG List <govreform at cabforum.org>
> <mailto:govreform at cabforum.org>
> *Subject:* Re: [cabf_governance] Ballot 206 and documents
>
>
>
>
>
> On 6/2/2018 6:25 μμ, Virginia Fournier wrote:
>
> Hi Dimitris,
>
>
>
> Would you please let us know what changes you’d propose to
> resolve the issues you’ve mentioned below? Your changes
> weren’t left out intentionally - we probably just missed your
> request. Thanks.
>
>
> Certainly. I have attached a red-lined version of the proposed
> changes on the "CABF-Bylaws-v.1.8_23-Jan-2018.doc" file, to align
> the ETSI audit criteria with WebTrust. I also made a small
> reference correction to the "Certificate Consumer" definition.
>
> However, I couldn't provide an easy language fix for the
> requirement 2.1 a, and I hope the WG will be able to discuss on a
> future call. I will try to highlight the problem and propose some
> language to resolve the loop.
>
> Here are the current definitions:
>
> _(1) "Certificate Issuer_: The member organization operates a
> certification authority that has a current and successful WebTrust
> for CAs audit or ETSI EN 319 401 audit report prepared by a
> properly-qualified auditor, is a member of a Working Group, and
> that actively issues certificates to end entities, such
> certificates being treated as valid by a Certificate Consumer
> Member. Applicants that are not actively issuing certificates but
> otherwise meet membership criteria may be granted Associate Member
> status under Bylaw Sec. 3.1 for a period of time to be designated
> by the Forum"
>
> _(2) _"_Root Certificate Issuer_: The member organization operates
> a certification authority that has a current and successful
> WebTrust for CAs,or ETSI EN 319 401 audit report prepared by a
> properly-qualified auditor, is a member of a Working Group, and
> that issues certificates to subordinate CAs that, in turn,
> actively issue certificates to end entities such certificates
> being treated as valid by a Certificate Consumer Member.
> Applicants that are not actively issuing certificates but
> otherwise meet membership criteria may be granted Associate Member
> status under Bylaw Sec. 3.1 for a period of time to be designated
> by the Forum. "
>
> _(3) _"_Certificate Consumer_: The member organization produces a
> software product, such as a browser, intended for use by the
> general public for relying upon certificates and is a member of a
> Working Group"
>
> First of all, since 2.1 talks about "qualifying for Forum
> Membership", which I understand to mean "Applicants", I propose we
> replace "member organization" to "applicant organization". In
> order to resolve the loop problem, perhaps the part of the
> "Certificate Consumer" definition that talks about software
> intended for use by the general public for relying upon
> certificates, should be included in the definitions of (1) and (2).
>
> Here is a suggestion for these definitions:
>
> _(1) "Certificate Issuer_: The applicant organization operates a
> certification authority that has a current and successful WebTrust
> for CAs audit or ETSI EN 319 401 audit report prepared by a
> properly-qualified auditor, is a member of a Working Group, and
> that actively issues certificates to end entities, such
> certificates being treated as valid by a software product, such as
> a browser, intended for use by the general public for relying upon
> certificates. Applicants that are not actively issuing
> certificates but otherwise meet membership criteria may be granted
> Associate Member status under Bylaw Sec. 3.1 for a period of time
> to be designated by the Forum"
>
> _(2) _"_Root Certificate Issuer_: The applicant organization
> operates a certification authority that has a current and
> successful WebTrust for CAs,or ETSI EN 319 401 audit report
> prepared by a properly-qualified auditor, is a member of a Working
> Group, and that issues certificates to subordinate CAs that, in
> turn, actively issue certificates to end entities such
> certificates being treated as valid by a software product, such as
> a browser, intended for use by the general public for relying upon
> certificates.Applicants that are not actively issuing certificates
> but otherwise meet membership criteria may be granted Associate
> Member status under Bylaw Sec. 3.1 for a period of time to be
> designated by the Forum. "
>
> _(3) _"_Certificate Consumer_: The applicant organization produces
> a software product, such as a browser, intended for use by the
> general public for relying upon certificates and is a member of a
> Working Group"
>
>
> Thank you,
> Dimitris.
>
>
>
>
> Virginia Fournier
>
> Sent from my iPhone
>
> Please excuse iTypos
>
>
> On Feb 6, 2018, at 12:14 AM, Dimitris Zacharopoulos
> <jimmy at it.auth.gr <mailto:jimmy at it.auth.gr>> wrote:
>
>
> Hello all,
>
> I reviewed the diffs and the proposed alignment between
> WebTrust and ETSI is not included in the proposed Bylaws
> draft (2.1a). I sent a proposal on Jan 9th
> (https://cabforum.org/pipermail/govreform/2018-January/000355.html
> <https://clicktime.symantec.com/a/1/xRJEOuXg-y_jlF4bPlvzPYNhn8a6eit8kncIq_wfMZ8=?d=zYU90j46QxTFNxAvlm_vJ4ZGqsTgwmt8yY9zvr0ptokxsxcxPTiHyfv81qHB08VOX3rrzZExOGgmgJkxIPZh2VDCB2-WrHv3HSXYZ8Wzk09rw2zFsyEvlFL13nhb7UzygerGhghF5qQl0uKJbkrgfHeL3_MxqGdnvlA7v_LK1cQLQhJS5vIh8quuXAU7PSSJvzKot7DAJo6bZDIRpzkFwNY2W9QBa2ODpEWTq9Pgug2qPyiezauI14B6fZZzXDwU0Ivj6KGS2Dy_1JXgXrsoUU_njc0WcH8N60MzLhzfYru_KK1QzFyolSRuA_TbFD0QG9P-7dp5mSt1H1BWsQ8OFAuLGgGHPbw9v12-oYSxeZkcV1l_eqlq15pTQI-hUSzH_gt5129IW5k-Txy56XOL79S-5w%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fpipermail%2Fgovreform%2F2018-January%2F000355.html>)
> about the Server Certificate Working Group Charter but the
> concept is the same for the Bylaws.
>
> * If we include the requirement for "WebTrust for CAs"
> audit, then the equivalent ETSI audit should be "*ETSI
> EN 319 401*". This probably fits best for the Bylaws.
> * If we include the requirement for "WebTrust for CAs +
> WebTrust Baseline + NetSec " audit, then the
> equivalent ETSI audit should be "ETSI EN 319 411-1".
> This probably fits best for the Server Certificate
> Working Group Charter.
>
> The old ETSI TS standards should not be included in the
> new bylaws.
>
> I was also puzzled with the following requirement in the
> Bylaws (section 2.1a) "such certificates being treated as
> valid by a Certificate Consumer*Member*". So, if a CA
> issues Certificates for Digital Signatures which are
> trusted by Adobe and Adobe is not a Member of the Forum,
> then this CA doesn't meet the requirements. Is this a
> correct interpretation?
>
>
> Best regards,
> Dimitris.
>
>
> On 6/2/2018 9:15 πμ, Virginia Fournier via Govreform wrote:
>
> Hi all,
>
>
>
>
> My apologies, I have a conflict for tomorrow’s meeting
> and will not be able to attend. I am sending what I
> hope are virtually final versions of the documents. I
> am sending diff files for the Bylaws and IPR policy,
> as the Word compare function will not cooperate. The
> diffs may be easier to read in the end anyway.
>
>
>
>
> As you may have seen from my email earlier today, we
> have to cut off any new issues, content, etc. from
> being added to the ballot so we can finalize it. From
> this point forward, we need to just review what we
> have, clean up typos or any errors in the ballot, and
> move it forward. With this in mind, I’d appreciate it
> if you’d review the documents attached/referenced
> below to see if there are any corrections/adjustments
> that need to be made. We can keep a list of
> additional issues that should be addressed for the
> next ballot.
>
>
>
>
> What is the status of the Server Certificate WG
> charter? I sent some comments to Dean/Ben - have you
> had a chance to look at those? We need the final
> version of that document also to complete the package.
>
>
>
>
> I’d like to send the documents out early next week and
> start an “informal” discussion period of 7 days next
> for any questions people may have. Does anyone see
> any obstacles to doing that?
>
>
>
>
> Here’s the diff for the Bylaws (all changes since
> version 1.7 shown).
>
>
>
>
> https://draftable.com/compare/JHYFfXWaHGRx
> <https://clicktime.symantec.com/a/1/uyKpIpWVOanrzEuutNyKQlSALyoi3PkQHMormrBAvWs=?d=zYU90j46QxTFNxAvlm_vJ4ZGqsTgwmt8yY9zvr0ptokxsxcxPTiHyfv81qHB08VOX3rrzZExOGgmgJkxIPZh2VDCB2-WrHv3HSXYZ8Wzk09rw2zFsyEvlFL13nhb7UzygerGhghF5qQl0uKJbkrgfHeL3_MxqGdnvlA7v_LK1cQLQhJS5vIh8quuXAU7PSSJvzKot7DAJo6bZDIRpzkFwNY2W9QBa2ODpEWTq9Pgug2qPyiezauI14B6fZZzXDwU0Ivj6KGS2Dy_1JXgXrsoUU_njc0WcH8N60MzLhzfYru_KK1QzFyolSRuA_TbFD0QG9P-7dp5mSt1H1BWsQ8OFAuLGgGHPbw9v12-oYSxeZkcV1l_eqlq15pTQI-hUSzH_gt5129IW5k-Txy56XOL79S-5w%3D%3D&u=https%3A%2F%2Fdraftable.com%2Fcompare%2FJHYFfXWaHGRx>
>
>
>
> Here’s the diff for the IPR Policy (all changes since
> version 1.2 shown:
>
>
>
> https://draftable.com/compare/QuHvYZiCAAUr
> <https://clicktime.symantec.com/a/1/8q3XvGqohjM8pvFAj8n2TNaDAB0so_mrZcspY58oCLE=?d=zYU90j46QxTFNxAvlm_vJ4ZGqsTgwmt8yY9zvr0ptokxsxcxPTiHyfv81qHB08VOX3rrzZExOGgmgJkxIPZh2VDCB2-WrHv3HSXYZ8Wzk09rw2zFsyEvlFL13nhb7UzygerGhghF5qQl0uKJbkrgfHeL3_MxqGdnvlA7v_LK1cQLQhJS5vIh8quuXAU7PSSJvzKot7DAJo6bZDIRpzkFwNY2W9QBa2ODpEWTq9Pgug2qPyiezauI14B6fZZzXDwU0Ivj6KGS2Dy_1JXgXrsoUU_njc0WcH8N60MzLhzfYru_KK1QzFyolSRuA_TbFD0QG9P-7dp5mSt1H1BWsQ8OFAuLGgGHPbw9v12-oYSxeZkcV1l_eqlq15pTQI-hUSzH_gt5129IW5k-Txy56XOL79S-5w%3D%3D&u=https%3A%2F%2Fdraftable.com%2Fcompare%2FQuHvYZiCAAUr>
>
>
>
> =
>
>
>
>
>
>
>
> Best regards,
>
>
>
> Virginia Fournier
>
> Senior Standards Counsel
>
> Apple Inc.
>
> ☏669-227-9595
>
> ✉︎ vmf at apple.com <mailto:vmf at apple.com>
>
>
>
>
>
>
>
>
>
>
>
> On Dec 21, 2017, at 11:19 AM, Virginia Fournier via
> Govreform <govreform at cabforum.org
> <mailto:govreform at cabforum.org>> wrote:
>
>
>
> Hello all,
>
>
>
> Here are the final documents for Ballot 206. Please
> confirm that you’re ready to go forward with them in
> January after the holidays. Please also let me know
> if you can open the Bylaws diff file. What is the
> status of the Server Certificate WG’s charter? Thanks
> for everyone’s hard work on this project.
>
>
>
> <CABF_Ballot206_20DEC17.docx>
>
> <CABF-IPR-Policy-v.1.3_20DEC17_clean.doc>
>
> <CABF-IPR-Policy-v.1.3_20DEC17_redline.doc>
>
> <CABF-Bylaws-v.1.8_20DEC17_clean.doc>
>
> <CABF-Governance Change FAQ_20DEC17.docx>
>
> <Bylaws DiffNow Comparison Report.htm>
>
>
>
>
>
>
>
> Best regards,
>
>
>
> Virginia Fournier
>
> Senior Standards Counsel
>
> Apple Inc.
>
> ☏669-227-9595
>
> ✉︎ vmf at apple.com <mailto:vmf at apple.com>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Govreform mailing list
> Govreform at cabforum.org <mailto:Govreform at cabforum.org>
> https://cabforum.org/mailman/listinfo/govreform
> <https://clicktime.symantec.com/a/1/8rSOldnBKg8XvPcCi-8xhn3L1EZQhM_E6Wxoe2uL3ps=?d=zYU90j46QxTFNxAvlm_vJ4ZGqsTgwmt8yY9zvr0ptokxsxcxPTiHyfv81qHB08VOX3rrzZExOGgmgJkxIPZh2VDCB2-WrHv3HSXYZ8Wzk09rw2zFsyEvlFL13nhb7UzygerGhghF5qQl0uKJbkrgfHeL3_MxqGdnvlA7v_LK1cQLQhJS5vIh8quuXAU7PSSJvzKot7DAJo6bZDIRpzkFwNY2W9QBa2ODpEWTq9Pgug2qPyiezauI14B6fZZzXDwU0Ivj6KGS2Dy_1JXgXrsoUU_njc0WcH8N60MzLhzfYru_KK1QzFyolSRuA_TbFD0QG9P-7dp5mSt1H1BWsQ8OFAuLGgGHPbw9v12-oYSxeZkcV1l_eqlq15pTQI-hUSzH_gt5129IW5k-Txy56XOL79S-5w%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fgovreform>
>
>
> =
>
>
>
> _______________________________________________
>
> Govreform mailing list
>
> Govreform at cabforum.org <mailto:Govreform at cabforum.org>
>
> https://cabforum.org/mailman/listinfo/govreform
> <https://clicktime.symantec.com/a/1/8rSOldnBKg8XvPcCi-8xhn3L1EZQhM_E6Wxoe2uL3ps=?d=zYU90j46QxTFNxAvlm_vJ4ZGqsTgwmt8yY9zvr0ptokxsxcxPTiHyfv81qHB08VOX3rrzZExOGgmgJkxIPZh2VDCB2-WrHv3HSXYZ8Wzk09rw2zFsyEvlFL13nhb7UzygerGhghF5qQl0uKJbkrgfHeL3_MxqGdnvlA7v_LK1cQLQhJS5vIh8quuXAU7PSSJvzKot7DAJo6bZDIRpzkFwNY2W9QBa2ODpEWTq9Pgug2qPyiezauI14B6fZZzXDwU0Ivj6KGS2Dy_1JXgXrsoUU_njc0WcH8N60MzLhzfYru_KK1QzFyolSRuA_TbFD0QG9P-7dp5mSt1H1BWsQ8OFAuLGgGHPbw9v12-oYSxeZkcV1l_eqlq15pTQI-hUSzH_gt5129IW5k-Txy56XOL79S-5w%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fgovreform>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/govreform/attachments/20180206/39b1e6be/attachment-0001.html>
More information about the Govreform
mailing list