[cabf_governance] Ballot 206 and documents
Dimitris Zacharopoulos
jimmy at it.auth.gr
Tue Feb 6 12:49:43 MST 2018
Certainly for the Server Working Group. But how about the new general
Bylaws or a new WG around S/MIME? We've said numerous times that the
Baseline Requirements apply only to SSL/TLS Certificates and so do the
WebTrust for CAs Baseline + NetSec.
I recommend adding both. 1 should apply to the new Server Certificate WG
and 2 should apply to the new general Bylaws.
Dimitris.
On 6/2/2018 9:39 μμ, Tim Hollebeek wrote:
>
> Ok, I think I get it.
>
>
>
> We should either:
>
>
>
> 1. upgrade the WebTrust requirement to “WebTrust for CAs Baseline and
> NetSec” in order to align with requiring 411-1, or
> 2. downgrade the ETSI requirement to 401 to align with requiring
> “WebTrust for CAs”.
>
>
>
> Is that the right summary?
>
>
>
> In this day and age, I think (1) is the right approach.
>
>
>
> -Tim
>
>
>
> *From:*Dimitris Zacharopoulos [mailto:jimmy at it.auth.gr]
> *Sent:* Tuesday, February 6, 2018 12:25 PM
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com>; CA/Browser Forum
> Governance WG List <govreform at cabforum.org>; Dean Coclin
> <dean.coclin at digicert.com>
> *Subject:* Re: [cabf_governance] Ballot 206 and documents
>
>
>
>
>
> On 6/2/2018 9:17 μμ, Tim Hollebeek wrote:
>
> For those of us who have historically tried hard not to understand
> European regulations, but probably should understand them better
> than we do, is one a superset of the other, and if so, in which
> direction? If not, what does the Venn diagram look like?
>
>
> ETSI EN 319 401 is the first level and 411 (part 1) is built on top of
> 401. Here is a diagram available from the document ETSI TR 119 400
> (http://www.etsi.org/deliver/etsi_tr/119400_119499/119400/01.01.01_60/tr_119400v010101p.pdf
> <https://clicktime.symantec.com/a/1/2rg4jdXEPgpG0cVYXn_7B2jFMYhRbjZ1dDZ93zj7UIU=?d=Q-_kHzd0gf5QWQHtRHrPGfKdJo-f3eGryq7gLFMOP2nmmUSSN0U7d-mlnvjACjvkLYiE5YSQEMOLG71tO_RXchqmCncqIIcrFDtBeLZUAlZrHYS8NABgkLo9xeRneXrt67GFWsXpg4qrHaH2i1WE2nD-PJw6kFVRieKZGqfvwVIHbZc847hmNDYYX1OK-hZ2RJn83ueD16yLldoF5f-b26oVHL9YP3qAYqDB1DBj5oHF-Q438yRy8rGuXF2HtuTqmKwbBBcXk0PC1tLRGSErqip7OX_iU04gunrmBr-tIKOBZoFGECMHVRiWmRxQB1S5rVsr5AWiz9-5775yk-JIHODdvIp7ftjTJD56OOQ9yrXrU-QwbxLq6ktF8tL8RuOpgVEfSg%3D%3D&u=http%3A%2F%2Fwww.etsi.org%2Fdeliver%2Fetsi_tr%2F119400_119499%2F119400%2F01.01.01_60%2Ftr_119400v010101p.pdf>)
>
>
>
> I hope it is clearer now.
>
> Dimitris.
>
>
>
>
>
> -Tim
>
>
>
> *From:*Govreform [mailto:govreform-bounces at cabforum.org] *On
> Behalf Of *Dimitris Zacharopoulos via Govreform
> *Sent:* Tuesday, February 6, 2018 12:10 PM
> *To:* Dean Coclin <dean.coclin at digicert.com>
> <mailto:dean.coclin at digicert.com>; CA/Browser Forum Governance WG
> List <govreform at cabforum.org> <mailto:govreform at cabforum.org>
> *Subject:* Re: [cabf_governance] Ballot 206 and documents
>
>
>
>
>
> On 6/2/2018 9:02 μμ, Dean Coclin wrote:
>
> I’m still confused. The requirements from browsers is 411-1.
>
>
> But the new Bylaws are not only for Browsers :-)
>
> The Server Certificates WG will require ETSI EN 319 411-1 BUT IT
> SHOULD ALSO require not just WebTrust for CAs but also WebTrust
> for CAs Baseline and NetSec.
>
> Dimitris.
>
>
>
>
>
> *From:*Dimitris Zacharopoulos [mailto:jimmy at it.auth.gr]
> *Sent:* Tuesday, February 6, 2018 2:01 PM
> *To:* Dean Coclin <dean.coclin at digicert.com>
> <mailto:dean.coclin at digicert.com>; CA/Browser Forum Governance
> WG List <govreform at cabforum.org> <mailto:govreform at cabforum.org>
> *Subject:* Re: [cabf_governance] Ballot 206 and documents
>
>
>
>
>
> On 6/2/2018 8:15 μμ, Dean Coclin wrote:
>
> Dimitris,
>
> We currently list ETSI 411-1. Why should we change to 401?
>
>
> 411-1 covers Baseline Requirements and Network Security
> Requirements, which is equal to WebTrust for CAs Baseline and
> NetSec.
> 401 covers similar items as WebTrust for CAs.
>
> Dimitris.
>
>
>
>
>
> Dean
>
>
>
> *From:*Govreform [mailto:govreform-bounces at cabforum.org]
> *On Behalf Of *Dimitris Zacharopoulos via Govreform
> *Sent:* Tuesday, February 6, 2018 12:16 PM
> *To:* Virginia Fournier <vfournier at apple.com>
> <mailto:vfournier at apple.com>
> *Cc:* CA/Browser Forum Governance WG List
> <govreform at cabforum.org> <mailto:govreform at cabforum.org>
> *Subject:* Re: [cabf_governance] Ballot 206 and documents
>
>
>
>
>
> On 6/2/2018 6:25 μμ, Virginia Fournier wrote:
>
> Hi Dimitris,
>
>
>
> Would you please let us know what changes you’d
> propose to resolve the issues you’ve mentioned below?
> Your changes weren’t left out intentionally - we
> probably just missed your request. Thanks.
>
>
> Certainly. I have attached a red-lined version of the
> proposed changes on the
> "CABF-Bylaws-v.1.8_23-Jan-2018.doc" file, to align the
> ETSI audit criteria with WebTrust. I also made a small
> reference correction to the "Certificate Consumer"
> definition.
>
> However, I couldn't provide an easy language fix for the
> requirement 2.1 a, and I hope the WG will be able to
> discuss on a future call. I will try to highlight the
> problem and propose some language to resolve the loop.
>
> Here are the current definitions:
>
> _(1) "Certificate Issuer_: The member organization
> operates a certification authority that has a current and
> successful WebTrust for CAs audit or ETSI EN 319 401 audit
> report prepared by a properly-qualified auditor, is a
> member of a Working Group, and that actively issues
> certificates to end entities, such certificates being
> treated as valid by a Certificate Consumer Member.
> Applicants that are not actively issuing certificates but
> otherwise meet membership criteria may be granted
> Associate Member status under Bylaw Sec. 3.1 for a period
> of time to be designated by the Forum"
>
> _(2) _"_Root Certificate Issuer_: The member organization
> operates a certification authority that has a current and
> successful WebTrust for CAs,or ETSI EN 319 401 audit
> report prepared by a properly-qualified auditor, is a
> member of a Working Group, and that issues certificates to
> subordinate CAs that, in turn, actively issue certificates
> to end entities such certificates being treated as valid
> by a Certificate Consumer Member. Applicants that are not
> actively issuing certificates but otherwise meet
> membership criteria may be granted Associate Member status
> under Bylaw Sec. 3.1 for a period of time to be designated
> by the Forum. "
>
> _(3) _"_Certificate Consumer_: The member organization
> produces a software product, such as a browser, intended
> for use by the general public for relying upon
> certificates and is a member of a Working Group"
>
> First of all, since 2.1 talks about "qualifying for Forum
> Membership", which I understand to mean "Applicants", I
> propose we replace "member organization" to "applicant
> organization". In order to resolve the loop problem,
> perhaps the part of the "Certificate Consumer" definition
> that talks about software intended for use by the general
> public for relying upon certificates, should be included
> in the definitions of (1) and (2).
>
> Here is a suggestion for these definitions:
>
> _(1) "Certificate Issuer_: The applicant organization
> operates a certification authority that has a current and
> successful WebTrust for CAs audit or ETSI EN 319 401 audit
> report prepared by a properly-qualified auditor, is a
> member of a Working Group, and that actively issues
> certificates to end entities, such certificates being
> treated as valid by a software product, such as a browser,
> intended for use by the general public for relying upon
> certificates. Applicants that are not actively issuing
> certificates but otherwise meet membership criteria may be
> granted Associate Member status under Bylaw Sec. 3.1 for a
> period of time to be designated by the Forum"
>
> _(2) _"_Root Certificate Issuer_: The applicant
> organization operates a certification authority that has a
> current and successful WebTrust for CAs,or ETSI EN 319 401
> audit report prepared by a properly-qualified auditor, is
> a member of a Working Group, and that issues certificates
> to subordinate CAs that, in turn, actively issue
> certificates to end entities such certificates being
> treated as valid by a software product, such as a browser,
> intended for use by the general public for relying upon
> certificates.Applicants that are not actively issuing
> certificates but otherwise meet membership criteria may be
> granted Associate Member status under Bylaw Sec. 3.1 for a
> period of time to be designated by the Forum. "
>
> _(3) _"_Certificate Consumer_: The applicant organization
> produces a software product, such as a browser, intended
> for use by the general public for relying upon
> certificates and is a member of a Working Group"
>
>
> Thank you,
> Dimitris.
>
>
>
>
>
>
> Virginia Fournier
>
> Sent from my iPhone
>
> Please excuse iTypos
>
>
> On Feb 6, 2018, at 12:14 AM, Dimitris Zacharopoulos
> <jimmy at it.auth.gr <mailto:jimmy at it.auth.gr>> wrote:
>
>
> Hello all,
>
> I reviewed the diffs and the proposed alignment
> between WebTrust and ETSI is not included in the
> proposed Bylaws draft (2.1a). I sent a proposal on
> Jan 9th
> (https://cabforum.org/pipermail/govreform/2018-January/000355.html
> <https://clicktime.symantec.com/a/1/xRJEOuXg-y_jlF4bPlvzPYNhn8a6eit8kncIq_wfMZ8=?d=zYU90j46QxTFNxAvlm_vJ4ZGqsTgwmt8yY9zvr0ptokxsxcxPTiHyfv81qHB08VOX3rrzZExOGgmgJkxIPZh2VDCB2-WrHv3HSXYZ8Wzk09rw2zFsyEvlFL13nhb7UzygerGhghF5qQl0uKJbkrgfHeL3_MxqGdnvlA7v_LK1cQLQhJS5vIh8quuXAU7PSSJvzKot7DAJo6bZDIRpzkFwNY2W9QBa2ODpEWTq9Pgug2qPyiezauI14B6fZZzXDwU0Ivj6KGS2Dy_1JXgXrsoUU_njc0WcH8N60MzLhzfYru_KK1QzFyolSRuA_TbFD0QG9P-7dp5mSt1H1BWsQ8OFAuLGgGHPbw9v12-oYSxeZkcV1l_eqlq15pTQI-hUSzH_gt5129IW5k-Txy56XOL79S-5w%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fpipermail%2Fgovreform%2F2018-January%2F000355.html>)
> about the Server Certificate Working Group Charter
> but the concept is the same for the Bylaws.
>
> * If we include the requirement for "WebTrust
> for CAs" audit, then the equivalent ETSI audit
> should be "*ETSI EN 319 401*". This probably
> fits best for the Bylaws.
> * If we include the requirement for "WebTrust
> for CAs + WebTrust Baseline + NetSec " audit,
> then the equivalent ETSI audit should be "ETSI
> EN 319 411-1". This probably fits best for the
> Server Certificate Working Group Charter.
>
> The old ETSI TS standards should not be included
> in the new bylaws.
>
> I was also puzzled with the following requirement
> in the Bylaws (section 2.1a) "such certificates
> being treated as valid by a Certificate
> Consumer*Member*". So, if a CA issues Certificates
> for Digital Signatures which are trusted by Adobe
> and Adobe is not a Member of the Forum, then this
> CA doesn't meet the requirements. Is this a
> correct interpretation?
>
>
> Best regards,
> Dimitris.
>
>
> On 6/2/2018 9:15 πμ, Virginia Fournier via
> Govreform wrote:
>
> Hi all,
>
>
>
>
>
>
> My apologies, I have a conflict for tomorrow’s
> meeting and will not be able to attend. I am
> sending what I hope are virtually final
> versions of the documents. I am sending diff
> files for the Bylaws and IPR policy, as the
> Word compare function will not cooperate. The
> diffs may be easier to read in the end anyway.
>
>
>
>
>
>
> As you may have seen from my email earlier
> today, we have to cut off any new
> issues, content, etc. from being added to the
> ballot so we can finalize it. From this point
> forward, we need to just review what we have,
> clean up typos or any errors in the ballot,
> and move it forward. With this in mind, I’d
> appreciate it if you’d review the documents
> attached/referenced below to see if there are
> any corrections/adjustments that need to be
> made. We can keep a list of additional
> issues that should be addressed for the next
> ballot.
>
>
>
>
>
>
> What is the status of the Server Certificate
> WG charter? I sent some comments to Dean/Ben
> - have you had a chance to look at those? We
> need the final version of that document also
> to complete the package.
>
>
>
>
>
>
> I’d like to send the documents out early next
> week and start an “informal” discussion period
> of 7 days next for any questions people may
> have. Does anyone see any obstacles to doing
> that?
>
>
>
>
>
>
> Here’s the diff for the Bylaws (all changes
> since version 1.7 shown).
>
>
>
>
>
>
> https://draftable.com/compare/JHYFfXWaHGRx
> <https://clicktime.symantec.com/a/1/uyKpIpWVOanrzEuutNyKQlSALyoi3PkQHMormrBAvWs=?d=zYU90j46QxTFNxAvlm_vJ4ZGqsTgwmt8yY9zvr0ptokxsxcxPTiHyfv81qHB08VOX3rrzZExOGgmgJkxIPZh2VDCB2-WrHv3HSXYZ8Wzk09rw2zFsyEvlFL13nhb7UzygerGhghF5qQl0uKJbkrgfHeL3_MxqGdnvlA7v_LK1cQLQhJS5vIh8quuXAU7PSSJvzKot7DAJo6bZDIRpzkFwNY2W9QBa2ODpEWTq9Pgug2qPyiezauI14B6fZZzXDwU0Ivj6KGS2Dy_1JXgXrsoUU_njc0WcH8N60MzLhzfYru_KK1QzFyolSRuA_TbFD0QG9P-7dp5mSt1H1BWsQ8OFAuLGgGHPbw9v12-oYSxeZkcV1l_eqlq15pTQI-hUSzH_gt5129IW5k-Txy56XOL79S-5w%3D%3D&u=https%3A%2F%2Fdraftable.com%2Fcompare%2FJHYFfXWaHGRx>
>
>
>
> Here’s the diff for the IPR Policy (all
> changes since version 1.2 shown:
>
>
>
> https://draftable.com/compare/QuHvYZiCAAUr
> <https://clicktime.symantec.com/a/1/8q3XvGqohjM8pvFAj8n2TNaDAB0so_mrZcspY58oCLE=?d=zYU90j46QxTFNxAvlm_vJ4ZGqsTgwmt8yY9zvr0ptokxsxcxPTiHyfv81qHB08VOX3rrzZExOGgmgJkxIPZh2VDCB2-WrHv3HSXYZ8Wzk09rw2zFsyEvlFL13nhb7UzygerGhghF5qQl0uKJbkrgfHeL3_MxqGdnvlA7v_LK1cQLQhJS5vIh8quuXAU7PSSJvzKot7DAJo6bZDIRpzkFwNY2W9QBa2ODpEWTq9Pgug2qPyiezauI14B6fZZzXDwU0Ivj6KGS2Dy_1JXgXrsoUU_njc0WcH8N60MzLhzfYru_KK1QzFyolSRuA_TbFD0QG9P-7dp5mSt1H1BWsQ8OFAuLGgGHPbw9v12-oYSxeZkcV1l_eqlq15pTQI-hUSzH_gt5129IW5k-Txy56XOL79S-5w%3D%3D&u=https%3A%2F%2Fdraftable.com%2Fcompare%2FQuHvYZiCAAUr>
>
>
>
> =
>
>
>
>
>
>
>
>
>
>
>
> Best regards,
>
>
>
> Virginia Fournier
>
> Senior Standards Counsel
>
> Apple Inc.
>
> ☏669-227-9595
>
> ✉︎ vmf at apple.com <mailto:vmf at apple.com>
>
>
>
>
>
>
>
>
>
>
>
> On Dec 21, 2017, at 11:19 AM, Virginia
> Fournier via Govreform <govreform at cabforum.org
> <mailto:govreform at cabforum.org>> wrote:
>
>
>
> Hello all,
>
>
>
> Here are the final documents for Ballot 206.
> Please confirm that you’re ready to go
> forward with them in January after the
> holidays. Please also let me know if you can
> open the Bylaws diff file. What is the status
> of the Server Certificate WG’s charter?
> Thanks for everyone’s hard work on this project.
>
>
>
> <CABF_Ballot206_20DEC17.docx>
>
> <CABF-IPR-Policy-v.1.3_20DEC17_clean.doc>
>
> <CABF-IPR-Policy-v.1.3_20DEC17_redline.doc>
>
> <CABF-Bylaws-v.1.8_20DEC17_clean.doc>
>
> <CABF-Governance Change FAQ_20DEC17.docx>
>
> <Bylaws DiffNow Comparison Report.htm>
>
>
>
>
>
>
>
>
>
>
>
> Best regards,
>
>
>
> Virginia Fournier
>
> Senior Standards Counsel
>
> Apple Inc.
>
> ☏669-227-9595
>
> ✉︎ vmf at apple.com <mailto:vmf at apple.com>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Govreform mailing list
> Govreform at cabforum.org
> <mailto:Govreform at cabforum.org>
> https://cabforum.org/mailman/listinfo/govreform
> <https://clicktime.symantec.com/a/1/8rSOldnBKg8XvPcCi-8xhn3L1EZQhM_E6Wxoe2uL3ps=?d=zYU90j46QxTFNxAvlm_vJ4ZGqsTgwmt8yY9zvr0ptokxsxcxPTiHyfv81qHB08VOX3rrzZExOGgmgJkxIPZh2VDCB2-WrHv3HSXYZ8Wzk09rw2zFsyEvlFL13nhb7UzygerGhghF5qQl0uKJbkrgfHeL3_MxqGdnvlA7v_LK1cQLQhJS5vIh8quuXAU7PSSJvzKot7DAJo6bZDIRpzkFwNY2W9QBa2ODpEWTq9Pgug2qPyiezauI14B6fZZzXDwU0Ivj6KGS2Dy_1JXgXrsoUU_njc0WcH8N60MzLhzfYru_KK1QzFyolSRuA_TbFD0QG9P-7dp5mSt1H1BWsQ8OFAuLGgGHPbw9v12-oYSxeZkcV1l_eqlq15pTQI-hUSzH_gt5129IW5k-Txy56XOL79S-5w%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fgovreform>
>
>
> =
>
>
>
>
>
> _______________________________________________
>
> Govreform mailing list
>
> Govreform at cabforum.org
> <mailto:Govreform at cabforum.org>
>
> https://cabforum.org/mailman/listinfo/govreform
> <https://clicktime.symantec.com/a/1/8rSOldnBKg8XvPcCi-8xhn3L1EZQhM_E6Wxoe2uL3ps=?d=zYU90j46QxTFNxAvlm_vJ4ZGqsTgwmt8yY9zvr0ptokxsxcxPTiHyfv81qHB08VOX3rrzZExOGgmgJkxIPZh2VDCB2-WrHv3HSXYZ8Wzk09rw2zFsyEvlFL13nhb7UzygerGhghF5qQl0uKJbkrgfHeL3_MxqGdnvlA7v_LK1cQLQhJS5vIh8quuXAU7PSSJvzKot7DAJo6bZDIRpzkFwNY2W9QBa2ODpEWTq9Pgug2qPyiezauI14B6fZZzXDwU0Ivj6KGS2Dy_1JXgXrsoUU_njc0WcH8N60MzLhzfYru_KK1QzFyolSRuA_TbFD0QG9P-7dp5mSt1H1BWsQ8OFAuLGgGHPbw9v12-oYSxeZkcV1l_eqlq15pTQI-hUSzH_gt5129IW5k-Txy56XOL79S-5w%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fgovreform>
>
>
>
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/govreform/attachments/20180206/3ef7b828/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 240603 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/govreform/attachments/20180206/3ef7b828/attachment-0001.png>
More information about the Govreform
mailing list