[cabfcert_policy] CA vs. CAO

Peter Bowen pzb at amzn.com
Wed Nov 23 11:21:26 MST 2016


I’ve done a first pass through the BRs and think that there are almost no changes required if we define a “CA” as an Issuer operated by a Certification Authority Operator that is identified by the combination of Distinguished Name and Key Pair.  That seems to fix almost all the ambiguity in the BRs.  There are very few places we seem to mean the organization as a whole.  I think the changes would be very small.

Thanks,
Peter

> On Nov 23, 2016, at 7:19 AM, Tim Hollebeek <THollebeek at trustwave.com> wrote:
> 
> Right.  That’s another argument against using TSP.  A TSP need not even be a CA, as they need not issue certificates.  I’m pretty sure many of the usages of CA in the BRs would be impossible to interpret or even nonsensical for an organization that doesn’t issue certificates.
>  
> Such an organization is not in scope for the BRs, of course, but it shows why using a looser definition could cause significant misunderstandings and doesn’t add any clarity.
>  
> -Tim
>  
> From: Dimitris Zacharopoulos [mailto:jimmy at it.auth.gr <mailto:jimmy at it.auth.gr>] 
> Sent: Wednesday, November 23, 2016 7:20 AM
> To: Moudrick M. Dadashov; Peter Bowen; Tim Hollebeek
> Cc: policyreview at cabforum.org <mailto:policyreview at cabforum.org>
> Subject: Re: [cabfcert_policy] CA vs. CAO
>  
> On 23/11/2016 2:04 μμ, Moudrick M. Dadashov via Policyreview wrote:
> Hi Peter,
> 
> actually the term "Certification service provider" is no longer used and replaced by far more generic “Trust Service Provider”.
> 
> Thanks,
> M.D. 
> 
> 
> Right. The "specific meanings" in EU directives are actually quite broad :) Even if you only operate and offer Time Stamping services, you can be considered a TSP. The BRs give more elements to the "CA" term then what it is used in other standards. This creates confusion which IMHO the term "TSP" has resolved. Normally, the "CA" would be a unit limited to exchanging information between other TSP units (for example RAs) and performing/managing all certificate cryptographic operations. That probably requires a separate discussion.
> 
> Dimitris.
> 
> 
> 
> On 11/22/2016 9:13 PM, Peter Bowen wrote:
> +1
>  
> It looks like “Certification Service Provider” and “Trust Service Provider” have specific meanings in EU directives and regulations, so I think we should avoid these terms
>  
> On Nov 22, 2016, at 7:20 AM, Tim Hollebeek <THollebeek at trustwave.com <mailto:THollebeek at trustwave.com>> wrote:
>  
> I agree with this, though I would oppose TSP on the grounds that it introduces a potential for confusion between a European term that has a very specific meaning, and the more generic definition of a CA.
>  
> -Tim
>  
> From: Policyreview [mailto:policyreview-bounces at cabforum.org <mailto:policyreview-bounces at cabforum.org>] On Behalf Of Dimitris Zacharopoulos
> Sent: Monday, November 21, 2016 4:11 PM
> To: Ben Wilson; policyreview at cabforum.org <mailto:policyreview at cabforum.org>
> Subject: Re: [cabfcert_policy] CA vs. CAO
>  
> 
> First of all, sorry I missed the last call. This topic was discussed in previous F2F meetings and on several occasions. I believe that nobody wants to go over changing every document that has the term "CA" and change it to "CAO". If we are to do such a big change, I would vote to use the term "Trust Service Provider - TSP" in order to align with the European model.
> 
> The majority of the CAs and auditors have linked the term "CA" with an "organization". That's why it was agreed (on past meetings) that we will not try to change the meaning of the term "CA" to mean anything else but that of an organization. Instead, we would try to use this term consistently (to refer to an organization) and introduce changes to the other instances to mean something else. That would introduce fewer changes in the BRs and EV guidelines.
> 
> 
> Dimitris.
> 
> On 21/11/2016 10:47 μμ, Ben Wilson wrote:
> On our most recent call, Peter Bowen and I again discussed use of “CA” vs. something else.  (Back on May 5th I sent out a proposed “straw poll” to this group, but I don’t think I ever sent it to the public list.)  Peter and I like the term “CA Operator” or abbreviated, “CAO”.  The only downside, which is a big one – I’ll admit, is that  the term “CA” seems to  be used pervasively within the Forum and elsewhere to refer to  the entity that  operates a CA. 
> Following our last call, I started to do a replacement of CA with CAO to see how it would look/work, but I stopped because there would be many instances to replace and I wanted to get more of a consensus from  this group and potentially the public list.
> Thoughts?
> Ben
> 
> 
> 
> 
> _______________________________________________
> Policyreview mailing list
> Policyreview at cabforum.org <mailto:Policyreview at cabforum.org>
> https://cabforum.org/mailman/listinfo/policyreview <https://scanmail.trustwave.com/?c=4062&d=8Im12JMZ4gIB42sNb8zeAabb6qUkbOxDT_jqvqlXow&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpolicyreview>
>  
>  
> 
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
> _______________________________________________
> Policyreview mailing list
> Policyreview at cabforum.org <mailto:Policyreview at cabforum.org>
> https://cabforum.org/mailman/listinfo/policyreview <https://scanmail.trustwave.com/?c=4062&d=8Im12JMZ4gIB42sNb8zeAabb6qUkbOxDT_jqvqlXow&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpolicyreview>
> 
> 
> 
> 
> _______________________________________________
> Policyreview mailing list
> Policyreview at cabforum.org <mailto:Policyreview at cabforum.org>
> https://cabforum.org/mailman/listinfo/policyreview <https://scanmail.trustwave.com/?c=4062&d=8Im12JMZ4gIB42sNb8zeAabb6qUkbOxDT_jqvqlXow&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpolicyreview>
> 
> 
> 
> 
> _______________________________________________
> Policyreview mailing list
> Policyreview at cabforum.org <mailto:Policyreview at cabforum.org>
> https://cabforum.org/mailman/listinfo/policyreview <https://scanmail.trustwave.com/?c=4062&d=8Im12JMZ4gIB42sNb8zeAabb6qUkbOxDT_jqvqlXow&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpolicyreview>
>  
> 
> 
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/policyreview/attachments/20161123/fb66e303/attachment-0001.html>


More information about the Policyreview mailing list