[cabfpub] Bylaw update proposal

i-barreira at izenpe.net i-barreira at izenpe.net
Tue Mar 24 03:42:16 MST 2015 

Kirk,

 

Inline my suggestions

 

 

Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net

945067705

 

 

ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

 

De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de kirk_hall at trendmicro.com
Enviado el: martes, 24 de marzo de 2015 2:11
Para: CABFPub (public at cabforum.org)
Asunto: [cabfpub] Bylaw update proposal

 

Dean – funny you should bring up the membership rules in the Bylaws.  I have just incorporated the comments from our recent face to face meeting in the revised text below, and would like to present it for discussion as a pre-ballot.  It incorporates the issue you have just raised.

 

Here is my revised proposal for revising Bylaw 2.1:

 

2.1  Qualifying for Forum Membership

 

(a) CA/Browser Forum members shall meet at least one of the following criteria.

 

(1) Issuing CA: The member organization operates a certification authority that has a current and successful WebTrust for CAs audit Trust Service Principles and Criteria for Certification Authorities and WebTrust Principles and Criteria for Certification Authorities – CABF  SSL Baseline requirements with Network Security audit, based on WebTrust or ETSI 102042 or ETSI 101456 equivalent audit reports prepared by a properly-qualified or accredited auditor, and that actively issues certificates to Web servers that are openly accessible from the Internet using any one of the mainstream browsers.  Applicants that are not actively issuing certificates but otherwise meet membership criteria may be granted Interested Party status for a period of time and participate in meetings, teleconferences, and Member mailing lists, but may not propose or endorse ballots or vote.

 

(2) Root CA: The member organization operates a certification authority that has a current and successful WebTrust for CAs audit Trust Service Principles and Criteria for Certification Authorities and WebTrust Principles and Criteria for Certification Authorities – CABF SSL Baseline requirements with Network Security audit, based on WebTrust or ETSI 102042 or ETSI 101456 equivalent audit reports prepared by a properly-qualified or accredited auditor, and that actively issues certificates to subordinate CAs that, in turn, actively issue certificates to Web servers that are openly accessible from the Internet using any one of the mainstream browsers.  Applicants that are not actively issuing certificates but otherwise meet membership criteria may be granted Interested Party status for a period of time and participate in meetings, teleconferences, and Member mailing lists, but may not propose or endorse ballots or vote.

 

(3) Browser: The member organization produces a software product intended for use by the general public for browsing the Web securely.

 

(b) Applicants should supply the following information:

 

(1) Confirmation that the applicant satisfies at least one of the membership criteria (and if it satisfies more than one, indication of the single category under which the applicant wishes to apply).

 

(2) URL of the current qualifying performance audit report.

 

(3) The organization name, as you wish it to appear on the Forum Web site and in official Forum documents.

 

(4) URL of the applicant's main Web site.

 

(5) Names and email addresses of employees who will participate in the Forum mail list. 

 

(6) Emergency contact information for security issues related to certificate trust.

 

(7) Links or references to issued certificates that demonstrate compliance with all applicable certificate, CRL, and OCSP requirements.

 

(c) An Applicant shall become a Member once the Forum has determined by vote consensus among the Members during a teleconference or meeting that the Applicant meets all of the requirements of subsection (a) or, upon the request of any Member, by a Ballot among the Members. A vote of Acceptance by consensus shall be determined or a Ballot of the Members shall be held as soon as the Applicant indicates that it has presented all information required under subsection (b) and has responded to all follow-up questions from the Forum and the Member has complied with the requirements of Section 5.5.

 

 

Explanation of Bylaw amendments

 

The amendments do the following (for WebTrust, please read in “or ETSI equivalent”):

 

1.  Update the old name of WebTrust for CAs to the new name. To be fair not WebTrust should be so explicit and just say ETSI equivalent giving less importance. I´ve removed the whole title of the Webtrust.

2.  Add the requirement of a BR WebTrust audit (since no CA can issue SSL certs today without one, and the BRs are the most important product of the Forum to date – why would a CA want to join the Forum if it can’t or won’t follow the BRs and get a BR WebTrust audit?  Why would we want that CA as a CA Member?)  Again, you´re always focusing on Webtrust. This should be independent of whatever audit certification.

 

There was some discussion that CAs without a BR WebTrust might want to participate anyway – I doubt that, but they can comment on the public list and join working groups.  There was also discussion that CAs that only issue code signing certs don’t need a BR WebTrust audit under browser rules – to date, no CA issuing only code signing certs has applied to be a Member, so maybe we just wait to see if this ever happens.

 

The requirement of the certification is done by the browser root programs but being a member of the CABF does not need to follow the same rules. I´d leave it open even I´ve included in the text that has to be certified just to follow the current text. In any case, I´m not opposed but I think is a little bit strange or ridiculous including messages from Peter Bowen all the time saying “posted with permission” or “forwarded with permission”, because at the end, we´re treating them as they were posted by any member.

 

3.  I was told our old ETSI numbers are no longer valid.  To deal with this into the future, I have changed the language above to “or ETSI equivalent” so the reference will always be valid.

The ETSI numbers are still valid, what I´ve said is that they are going to change. But again, you´re unfair with ETSI, don´t mind indicating the whole title of the Webtrust document but not the ETSI one. To be fair, I´ve just indicated Webtrust or ETSI, I think this is enough. If more detailed is needed, then, we should include the whole text for both not just one. The CABF is not only US centric.

 

4.  Instead of giving a new CA “observer” status, which is not defined, I followed the suggestion to give the new CA “Interested Party” status, which is defined at Bylaw 3.1.  We get to define the level of participation of various Interested Parties, so we could allow a new CA to participate (but not vote) on all conference calls, meetings, and mail lists, the same as we do for WebTrust and ETSI representatives.

 

5.  I added the following as an additional item of information that new CAs would have to submit to apply for membership:  “Links or references to issued certificates that demonstrate compliance with all applicable certificate, CRL, and OCSP requirements.”  That is similar to what you were seeking.

Not sure to include the CRL and OCSP requirements, because there are some others that also “apply” or will apply, like CT, CAA, … Are we sure that we want to include terms instead of saying the for example, “status checking requirements”? This way, all of them apply more or less.

 

6.  Finally, I clarified that new members could be accepted by consensus during a teleconference of meeting of the Members, but that any Member could request a Ballot on acceptance (so if a Member objected, it could take the matter to a vote).  This is roughly what we have been doing.

 

I welcome comments.

 

Kirk R. Hall

Operations Director, Trust Services

Trend Micro

+1.503.753.3088

 

 
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150324/222c8784/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 19121 bytes
Desc: image001.png
Url : https://cabforum.org/pipermail/public/attachments/20150324/222c8784/attachment-0001.png

More information about the Public mailing list