[cabf_governance] Ballot 206 and documents
Dimitris Zacharopoulos
jimmy at it.auth.gr
Wed Feb 7 00:05:28 MST 2018
Hi Virginia,
Ben circulated on Jan 23rd a revised Server Certificate WG Charter that
takes care of the WebTrust - ETSI alignment, so we're good there.
The Bylaws diff that takes care of the WebTrust - ETSI alignment, is
included in a word attachment I sent yesterday (also correcting a wrong
reference at the beginning of the document). Please let me know if you
need anything else.
The only question is if the WG wants to further discuss the "loop"
problem. With the current language, you can't start a WG without a
"Certificate Consumer" *as a member*.
Dimitris.
On 7/2/2018 12:00 πμ, Virginia Fournier wrote:
> Hi Tim and Dimitris,
>
> Ok, it sounds like we have consensus on what we need to have in the
> Bylaws and the Server Certificate WG. Would you please send us an
> email clearly indicating what needs to be changed? Please note that
> redlines don’t come through in this format, so maybe you could provide
> something like:
>
> In Section 2.x, change “the red fox ran fast” to “the red hen ran away.”
>
> Otherwise, a diff file would be helpful as well. Thanks!
>
> Thanks very much!
>
>
> Best regards,
>
> Virginia Fournier
> Senior Standards Counsel
> Apple Inc.
> ☏ 669-227-9595
> ✉︎ vmf at apple.com <mailto:vmf at apple.com>
>
>
>
>
>
>
> On Feb 6, 2018, at 11:51 AM, Tim Hollebeek via Govreform
> <govreform at cabforum.org <mailto:govreform at cabforum.org>> wrote:
>
> That sounds right to me.
>
> -Tim
>
> *From:* Dimitris Zacharopoulos [mailto:jimmy at it.auth.gr]
> *Sent:* Tuesday, February 6, 2018 12:50 PM
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com
> <mailto:tim.hollebeek at digicert.com>>; CA/Browser Forum Governance WG
> List <govreform at cabforum.org <mailto:govreform at cabforum.org>>; Dean
> Coclin <dean.coclin at digicert.com <mailto:dean.coclin at digicert.com>>
> *Subject:* Re: [cabf_governance] Ballot 206 and documents
>
>
> Certainly for the Server Working Group. But how about the new general
> Bylaws or a new WG around S/MIME? We've said numerous times that the
> Baseline Requirements apply only to SSL/TLS Certificates and so do the
> WebTrust for CAs Baseline + NetSec.
>
> I recommend adding both. 1 should apply to the new Server Certificate
> WG and 2 should apply to the new general Bylaws.
>
> Dimitris.
>
> On 6/2/2018 9:39 μμ, Tim Hollebeek wrote:
>
> Ok, I think I get it.
>
> We should either:
>
>
> 1. upgrade the WebTrust requirement to “WebTrust for CAs Baseline
> and NetSec” in order to align with requiring 411-1, or
> 2. downgrade the ETSI requirement to 401 to align with requiring
> “WebTrust for CAs”.
>
>
> Is that the right summary?
>
> In this day and age, I think (1) is the right approach.
>
> -Tim
>
> *From:* Dimitris Zacharopoulos [mailto:jimmy at it.auth.gr]
> *Sent:* Tuesday, February 6, 2018 12:25 PM
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com>
> <mailto:tim.hollebeek at digicert.com>; CA/Browser Forum Governance
> WG List <govreform at cabforum.org> <mailto:govreform at cabforum.org>;
> Dean Coclin <dean.coclin at digicert.com>
> <mailto:dean.coclin at digicert.com>
> *Subject:* Re: [cabf_governance] Ballot 206 and documents
>
>
>
>
> On 6/2/2018 9:17 μμ, Tim Hollebeek wrote:
>
> For those of us who have historically tried hard not to
> understand European regulations, but probably should
> understand them better than we do, is one a superset of the
> other, and if so, in which direction? If not, what does the
> Venn diagram look like?
>
>
> ETSI EN 319 401 is the first level and 411 (part 1) is built on
> top of 401. Here is a diagram available from the document ETSI TR
> 119 400
> (http://www.etsi.org/deliver/etsi_tr/119400_119499/119400/01.01.01_60/tr_119400v010101p.pdf
> <https://clicktime.symantec.com/a/1/2rg4jdXEPgpG0cVYXn_7B2jFMYhRbjZ1dDZ93zj7UIU=?d=Q-_kHzd0gf5QWQHtRHrPGfKdJo-f3eGryq7gLFMOP2nmmUSSN0U7d-mlnvjACjvkLYiE5YSQEMOLG71tO_RXchqmCncqIIcrFDtBeLZUAlZrHYS8NABgkLo9xeRneXrt67GFWsXpg4qrHaH2i1WE2nD-PJw6kFVRieKZGqfvwVIHbZc847hmNDYYX1OK-hZ2RJn83ueD16yLldoF5f-b26oVHL9YP3qAYqDB1DBj5oHF-Q438yRy8rGuXF2HtuTqmKwbBBcXk0PC1tLRGSErqip7OX_iU04gunrmBr-tIKOBZoFGECMHVRiWmRxQB1S5rVsr5AWiz9-5775yk-JIHODdvIp7ftjTJD56OOQ9yrXrU-QwbxLq6ktF8tL8RuOpgVEfSg%3D%3D&u=http%3A%2F%2Fwww.etsi.org%2Fdeliver%2Fetsi_tr%2F119400_119499%2F119400%2F01.01.01_60%2Ftr_119400v010101p.pdf>)
>
> <image001.png>
>
> I hope it is clearer now.
>
> Dimitris.
>
>
>
>
>
> -Tim
>
> *From:* Govreform [mailto:govreform-bounces at cabforum.org] *On
> Behalf Of *Dimitris Zacharopoulos via Govreform
> *Sent:* Tuesday, February 6, 2018 12:10 PM
> *To:* Dean Coclin <dean.coclin at digicert.com>
> <mailto:dean.coclin at digicert.com>; CA/Browser Forum Governance
> WG List <govreform at cabforum.org> <mailto:govreform at cabforum.org>
> *Subject:* Re: [cabf_governance] Ballot 206 and documents
>
>
>
>
> On 6/2/2018 9:02 μμ, Dean Coclin wrote:
>
> I’m still confused. The requirements from browsers is 411-1.
>
>
> But the new Bylaws are not only for Browsers :-)
>
> The Server Certificates WG will require ETSI EN 319 411-1 BUT
> IT SHOULD ALSO require not just WebTrust for CAs but also
> WebTrust for CAs Baseline and NetSec.
>
> Dimitris.
>
>
>
>
>
> *From:* Dimitris Zacharopoulos [mailto:jimmy at it.auth.gr]
> *Sent:* Tuesday, February 6, 2018 2:01 PM
> *To:* Dean Coclin <dean.coclin at digicert.com>
> <mailto:dean.coclin at digicert.com>; CA/Browser Forum
> Governance WG List <govreform at cabforum.org>
> <mailto:govreform at cabforum.org>
> *Subject:* Re: [cabf_governance] Ballot 206 and documents
>
>
>
>
> On 6/2/2018 8:15 μμ, Dean Coclin wrote:
>
> Dimitris,
> We currently list ETSI 411-1. Why should we change to 401?
>
>
> 411-1 covers Baseline Requirements and Network Security
> Requirements, which is equal to WebTrust for CAs Baseline
> and NetSec.
> 401 covers similar items as WebTrust for CAs.
>
> Dimitris.
>
>
>
>
>
>
> Dean
>
> *From:* Govreform
> [mailto:govreform-bounces at cabforum.org] *On Behalf
> Of *Dimitris Zacharopoulos via Govreform
> *Sent:* Tuesday, February 6, 2018 12:16 PM
> *To:* Virginia Fournier <vfournier at apple.com>
> <mailto:vfournier at apple.com>
> *Cc:* CA/Browser Forum Governance WG
> List <govreform at cabforum.org>
> <mailto:govreform at cabforum.org>
> *Subject:* Re: [cabf_governance] Ballot 206 and documents
>
>
>
>
> On 6/2/2018 6:25 μμ, Virginia Fournier wrote:
>
> Hi Dimitris,
>
> Would you please let us know what changes you’d
> propose to resolve the issues you’ve mentioned
> below? Your changes weren’t left out
> intentionally - we probably just missed your
> request. Thanks.
>
>
> Certainly. I have attached a red-lined version of the
> proposed changes on the
> "CABF-Bylaws-v.1.8_23-Jan-2018.doc" file, to align the
> ETSI audit criteria with WebTrust. I also made a small
> reference correction to the "Certificate Consumer"
> definition.
>
> However, I couldn't provide an easy language fix for
> the requirement 2.1 a, and I hope the WG will be able
> to discuss on a future call. I will try to highlight
> the problem and propose some language to resolve the loop.
>
> Here are the current definitions:
>
> _(1) "Certificate Issuer_: The member organization
> operates a certification authority that has a current
> and successful WebTrust for CAs audit or ETSI EN 319
> 401 audit report prepared by a properly-qualified
> auditor, is a member of a Working Group, and that
> actively issues certificates to end entities, such
> certificates being treated as valid by a Certificate
> Consumer Member. Applicants that are not actively
> issuing certificates but otherwise meet membership
> criteria may be granted Associate Member status under
> Bylaw Sec. 3.1 for a period of time to be designated
> by the Forum"
>
> _(2) _"_Root Certificate Issuer_: The member
> organization operates a certification authority that
> has a current and successful WebTrust for CAs, or ETSI
> EN 319 401 audit report prepared by a
> properly-qualified auditor, is a member of a Working
> Group, and that issues certificates to subordinate CAs
> that, in turn, actively issue certificates to end
> entities such certificates being treated as valid by a
> Certificate Consumer Member. Applicants that are not
> actively issuing certificates but otherwise meet
> membership criteria may be granted Associate Member
> status under Bylaw Sec. 3.1 for a period of time to be
> designated by the Forum. "
>
> _(3) _"_Certificate Consumer_: The member organization
> produces a software product, such as a browser,
> intended for use by the general public for relying
> upon certificates and is a member of a Working Group"
>
> First of all, since 2.1 talks about "qualifying for
> Forum Membership", which I understand to mean
> "Applicants", I propose we replace "member
> organization" to "applicant organization". In order to
> resolve the loop problem, perhaps the part of the
> "Certificate Consumer" definition that talks about
> software intended for use by the general public for
> relying upon certificates, should be included in the
> definitions of (1) and (2).
>
> Here is a suggestion for these definitions:
>
> _(1) "Certificate Issuer_: The applicant organization
> operates a certification authority that has a current
> and successful WebTrust for CAs audit or ETSI EN 319
> 401 audit report prepared by a properly-qualified
> auditor, is a member of a Working Group, and that
> actively issues certificates to end entities, such
> certificates being treated as valid by a software
> product, such as a browser, intended for use by the
> general public for relying upon certificates.
> Applicants that are not actively issuing certificates
> but otherwise meet membership criteria may be granted
> Associate Member status under Bylaw Sec. 3.1 for a
> period of time to be designated by the Forum"
>
> _(2) _"_Root Certificate Issuer_: The applicant
> organization operates a certification authority that
> has a current and successful WebTrust for CAs, or ETSI
> EN 319 401 audit report prepared by a
> properly-qualified auditor, is a member of a Working
> Group, and that issues certificates to subordinate CAs
> that, in turn, actively issue certificates to end
> entities such certificates being treated as valid by a
> software product, such as a browser, intended for use
> by the general public for relying upon
> certificates. Applicants that are not actively issuing
> certificates but otherwise meet membership criteria
> may be granted Associate Member status under Bylaw
> Sec. 3.1 for a period of time to be designated by the
> Forum. "
>
> _(3) _"_Certificate Consumer_: The applicant
> organization produces a software product, such as a
> browser, intended for use by the general public for
> relying upon certificates and is a member of a Working
> Group"
>
>
> Thank you,
> Dimitris.
>
>
>
>
>
>
> Virginia Fournier
> Sent from my iPhone
> Please excuse iTypos
>
>
> On Feb 6, 2018, at 12:14 AM, Dimitris
> Zacharopoulos <jimmy at it.auth.gr
> <mailto:jimmy at it.auth.gr>> wrote:
>
>
> Hello all,
>
> I reviewed the diffs and the proposed
> alignment between WebTrust and ETSI is not
> included in the proposed Bylaws draft (2.1a).
> I sent a proposal on Jan 9th
> (https://cabforum.org/pipermail/govreform/2018-January/000355.html
> <https://clicktime.symantec.com/a/1/xRJEOuXg-y_jlF4bPlvzPYNhn8a6eit8kncIq_wfMZ8=?d=zYU90j46QxTFNxAvlm_vJ4ZGqsTgwmt8yY9zvr0ptokxsxcxPTiHyfv81qHB08VOX3rrzZExOGgmgJkxIPZh2VDCB2-WrHv3HSXYZ8Wzk09rw2zFsyEvlFL13nhb7UzygerGhghF5qQl0uKJbkrgfHeL3_MxqGdnvlA7v_LK1cQLQhJS5vIh8quuXAU7PSSJvzKot7DAJo6bZDIRpzkFwNY2W9QBa2ODpEWTq9Pgug2qPyiezauI14B6fZZzXDwU0Ivj6KGS2Dy_1JXgXrsoUU_njc0WcH8N60MzLhzfYru_KK1QzFyolSRuA_TbFD0QG9P-7dp5mSt1H1BWsQ8OFAuLGgGHPbw9v12-oYSxeZkcV1l_eqlq15pTQI-hUSzH_gt5129IW5k-Txy56XOL79S-5w%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fpipermail%2Fgovreform%2F2018-January%2F000355.html>)
> about the Server Certificate Working Group
> Charter but the concept is the same for the
> Bylaws.
>
> * If we include the requirement for
> "WebTrust for CAs" audit, then the
> equivalent ETSI audit should be "*ETSI EN
> 319 401*". This probably fits best for the
> Bylaws.
> * If we include the requirement for
> "WebTrust for CAs + WebTrust Baseline +
> NetSec " audit, then the equivalent ETSI
> audit should be "ETSI EN 319 411-1". This
> probably fits best for the Server
> Certificate Working Group Charter.
>
> The old ETSI TS standards should not be
> included in the new bylaws.
>
> I was also puzzled with the following
> requirement in the Bylaws (section 2.1a) "such
> certificates being treated as valid by a
> Certificate Consumer* Member*". So, if a CA
> issues Certificates for Digital Signatures
> which are trusted by Adobe and Adobe is not a
> Member of the Forum, then this CA doesn't meet
> the requirements. Is this a correct
> interpretation?
>
>
> Best regards,
> Dimitris.
>
>
> On 6/2/2018 9:15 πμ, Virginia Fournier via
> Govreform wrote:
>
> Hi all,
>
>
>
>
>
>
> My apologies, I have a conflict for
> tomorrow’s meeting and will not be able to
> attend. I am sending what I hope are
> virtually final versions of the documents.
> I am sending diff files for the Bylaws
> and IPR policy, as the Word compare
> function will not cooperate. The diffs may
> be easier to read in the end anyway.
>
>
>
>
>
>
> As you may have seen from my email earlier
> today, we have to cut off any new
> issues, content, etc. from being added to
> the ballot so we can finalize it. From
> this point forward, we need to just review
> what we have, clean up typos or any errors
> in the ballot, and move it forward. With
> this in mind, I’d appreciate it if you’d
> review the documents attached/referenced
> below to see if there are any
> corrections/adjustments that need to be
> made. We can keep a list of additional
> issues that should be addressed for the
> next ballot.
>
>
>
>
>
>
> What is the status of the Server
> Certificate WG charter? I sent some
> comments to Dean/Ben - have you had
> a chance to look at those? We
> need the final version of that document
> also to complete the package.
>
>
>
>
>
>
> I’d like to send the documents out early
> next week and start
> an “informal” discussion period of 7 days
> next for any questions people may have.
> Does anyone see any obstacles to doing that?
>
>
>
>
>
>
> Here’s the diff for the Bylaws (all
> changes since version 1.7 shown).
>
>
>
>
>
>
> https://draftable.com/compare/JHYFfXWaHGRx
> <https://clicktime.symantec.com/a/1/uyKpIpWVOanrzEuutNyKQlSALyoi3PkQHMormrBAvWs=?d=zYU90j46QxTFNxAvlm_vJ4ZGqsTgwmt8yY9zvr0ptokxsxcxPTiHyfv81qHB08VOX3rrzZExOGgmgJkxIPZh2VDCB2-WrHv3HSXYZ8Wzk09rw2zFsyEvlFL13nhb7UzygerGhghF5qQl0uKJbkrgfHeL3_MxqGdnvlA7v_LK1cQLQhJS5vIh8quuXAU7PSSJvzKot7DAJo6bZDIRpzkFwNY2W9QBa2ODpEWTq9Pgug2qPyiezauI14B6fZZzXDwU0Ivj6KGS2Dy_1JXgXrsoUU_njc0WcH8N60MzLhzfYru_KK1QzFyolSRuA_TbFD0QG9P-7dp5mSt1H1BWsQ8OFAuLGgGHPbw9v12-oYSxeZkcV1l_eqlq15pTQI-hUSzH_gt5129IW5k-Txy56XOL79S-5w%3D%3D&u=https%3A%2F%2Fdraftable.com%2Fcompare%2FJHYFfXWaHGRx>
>
> Here’s the diff for the IPR Policy (all
> changes since version 1.2 shown:
>
> https://draftable.com/compare/QuHvYZiCAAUr
> <https://clicktime.symantec.com/a/1/8q3XvGqohjM8pvFAj8n2TNaDAB0so_mrZcspY58oCLE=?d=zYU90j46QxTFNxAvlm_vJ4ZGqsTgwmt8yY9zvr0ptokxsxcxPTiHyfv81qHB08VOX3rrzZExOGgmgJkxIPZh2VDCB2-WrHv3HSXYZ8Wzk09rw2zFsyEvlFL13nhb7UzygerGhghF5qQl0uKJbkrgfHeL3_MxqGdnvlA7v_LK1cQLQhJS5vIh8quuXAU7PSSJvzKot7DAJo6bZDIRpzkFwNY2W9QBa2ODpEWTq9Pgug2qPyiezauI14B6fZZzXDwU0Ivj6KGS2Dy_1JXgXrsoUU_njc0WcH8N60MzLhzfYru_KK1QzFyolSRuA_TbFD0QG9P-7dp5mSt1H1BWsQ8OFAuLGgGHPbw9v12-oYSxeZkcV1l_eqlq15pTQI-hUSzH_gt5129IW5k-Txy56XOL79S-5w%3D%3D&u=https%3A%2F%2Fdraftable.com%2Fcompare%2FQuHvYZiCAAUr>
>
> =
>
>
>
>
>
>
>
>
>
>
>
>
>
> Best regards,
>
> Virginia Fournier
> Senior Standards Counsel
> Apple Inc.
> ☏ 669-227-9595
> ✉︎ vmf at apple.com <mailto:vmf at apple.com>
>
>
>
>
>
>
>
> On Dec 21, 2017, at 11:19 AM, Virginia
> Fournier via Govreform
> <govreform at cabforum.org
> <mailto:govreform at cabforum.org>> wrote:
>
> Hello all,
>
> Here are the final documents for Ballot
> 206. Please confirm that you’re ready to
> go forward with them in January after the
> holidays. Please also let me know if you
> can open the Bylaws diff file. What is
> the status of the Server Certificate WG’s
> charter? Thanks for everyone’s hard work
> on this project.
>
> <CABF_Ballot206_20DEC17.docx>
> <CABF-IPR-Policy-v.1.3_20DEC17_clean.doc>
> <CABF-IPR-Policy-v.1.3_20DEC17_redline.doc>
> <CABF-Bylaws-v.1.8_20DEC17_clean.doc>
> <CABF-Governance Change FAQ_20DEC17.docx>
> <Bylaws DiffNow Comparison Report.htm>
>
>
>
>
>
>
>
>
>
>
>
>
> Best regards,
>
> Virginia Fournier
> Senior Standards Counsel
> Apple Inc.
> ☏ 669-227-9595
> ✉︎ vmf at apple.com <mailto:vmf at apple.com>
>
>
>
>
>
>
>
> _______________________________________________
> Govreform mailing list
> Govreform at cabforum.org
> <mailto:Govreform at cabforum.org>
> https://cabforum.org/mailman/listinfo/govreform
> <https://clicktime.symantec.com/a/1/8rSOldnBKg8XvPcCi-8xhn3L1EZQhM_E6Wxoe2uL3ps=?d=zYU90j46QxTFNxAvlm_vJ4ZGqsTgwmt8yY9zvr0ptokxsxcxPTiHyfv81qHB08VOX3rrzZExOGgmgJkxIPZh2VDCB2-WrHv3HSXYZ8Wzk09rw2zFsyEvlFL13nhb7UzygerGhghF5qQl0uKJbkrgfHeL3_MxqGdnvlA7v_LK1cQLQhJS5vIh8quuXAU7PSSJvzKot7DAJo6bZDIRpzkFwNY2W9QBa2ODpEWTq9Pgug2qPyiezauI14B6fZZzXDwU0Ivj6KGS2Dy_1JXgXrsoUU_njc0WcH8N60MzLhzfYru_KK1QzFyolSRuA_TbFD0QG9P-7dp5mSt1H1BWsQ8OFAuLGgGHPbw9v12-oYSxeZkcV1l_eqlq15pTQI-hUSzH_gt5129IW5k-Txy56XOL79S-5w%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fgovreform>
>
> =
>
>
>
>
>
>
> _______________________________________________
>
> Govreform mailing list
>
> Govreform at cabforum.org
> <mailto:Govreform at cabforum.org>
>
> https://cabforum.org/mailman/listinfo/govreform
> <https://clicktime.symantec.com/a/1/8rSOldnBKg8XvPcCi-8xhn3L1EZQhM_E6Wxoe2uL3ps=?d=zYU90j46QxTFNxAvlm_vJ4ZGqsTgwmt8yY9zvr0ptokxsxcxPTiHyfv81qHB08VOX3rrzZExOGgmgJkxIPZh2VDCB2-WrHv3HSXYZ8Wzk09rw2zFsyEvlFL13nhb7UzygerGhghF5qQl0uKJbkrgfHeL3_MxqGdnvlA7v_LK1cQLQhJS5vIh8quuXAU7PSSJvzKot7DAJo6bZDIRpzkFwNY2W9QBa2ODpEWTq9Pgug2qPyiezauI14B6fZZzXDwU0Ivj6KGS2Dy_1JXgXrsoUU_njc0WcH8N60MzLhzfYru_KK1QzFyolSRuA_TbFD0QG9P-7dp5mSt1H1BWsQ8OFAuLGgGHPbw9v12-oYSxeZkcV1l_eqlq15pTQI-hUSzH_gt5129IW5k-Txy56XOL79S-5w%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fgovreform>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Govreform mailing list
> Govreform at cabforum.org <mailto:Govreform at cabforum.org>
> https://cabforum.org/mailman/listinfo/govreform
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/govreform/attachments/20180207/cb700387/attachment-0001.html>
More information about the Govreform
mailing list