[cabfpub] Bylaw update proposal

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Tue Mar 24 16:56:18 MST 2015


Thanks, Iñigo – let me think about your suggestions more, but here is my initial reaction.

1.  Should we list specific WebTrust and ETSI audit requirements by their document names?  I would say yes, to avoid confusion.  If I am reading your edits below correctly, I think you are only asking for one audit - a Baseline Requirements audit and not a classic WebTrust audit – but the root programs require both (at least for CAs that use WebTrust).  We can continue to list the ETSI 102042 / 101046 audit numbers if they are still valid.  If you know what the new ETSI numbers will be, we can add them as well.  If you want to also include the names for these ETSI audit numbers, we can do that too.

The main point is that CA membership requirements should be the same as the trusted root program requirements, whether WebTrust or ETSI.

2.  I’m happy to add “accredited” after “properly-qualified” for auditors.

3.  You mentioned Peter Bowen’s extremely useful participation and suggested we need to make that kind of participation easier – I fully agree, but that is a separate issue (as Peter is not a CA, so won’t ever be a Member).  I believe Ryan is working on a plan so that Interested Parties like Peter and others can easily post to our lists, without the need for reposting – we support that.  But these issues do not impact our Bylaw changes for how CAs can become Members.

4.  As to what a new CA applicant should show the Forum as part of the application process (subsection (7) below) – I specifically listed certificates, CRLs, and OCSP links because they are the core requirements to show the CA “actively issues certificates,” which necessarily means the applicant must show is allowing revocation checking (and we have typically looked at CRLs and OCSP responses anyway for new applicants).  I would not add things like CAA and CT, as those requirements are not as central to the question of whether the CA applicant “actively issues certificates” as CRLs/OCSP does.

Kirk

From: i-barreira at izenpe.net [mailto:i-barreira at izenpe.net]
Sent: Tuesday, March 24, 2015 3:42 AM
To: Kirk Hall (RD-US); public at cabforum.org
Subject: RE: [cabfpub] Bylaw update proposal

Kirk,

Inline my suggestions


Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net<mailto:i-barreira at izenpe.net>
945067705

[Descripción: cid:image001.png at 01CE3152.B4804EB0]
ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de kirk_hall at trendmicro.com
Enviado el: martes, 24 de marzo de 2015 2:11
Para: CABFPub (public at cabforum.org)
Asunto: [cabfpub] Bylaw update proposal

Dean – funny you should bring up the membership rules in the Bylaws.  I have just incorporated the comments from our recent face to face meeting in the revised text below, and would like to present it for discussion as a pre-ballot.  It incorporates the issue you have just raised.

Here is my revised proposal for revising Bylaw 2.1:

2.1  Qualifying for Forum Membership

(a) CA/Browser Forum members shall meet at least one of the following criteria.

(1) Issuing CA: The member organization operates a certification authority that has a current and successful WebTrust for CAs audit Trust Service Principles and Criteria for Certification Authorities and WebTrust Principles and Criteria for Certification Authorities – CABF  SSL Baseline requirements with Network Security audit, based on WebTrust or ETSI 102042 or ETSI 101456 equivalent audit reports prepared by a properly-qualified or accredited auditor, and that actively issues certificates to Web servers that are openly accessible from the Internet using any one of the mainstream browsers.  Applicants that are not actively issuing certificates but otherwise meet membership criteria may be granted Interested Party status for a period of time and participate in meetings, teleconferences, and Member mailing lists, but may not propose or endorse ballots or vote.

(2) Root CA: The member organization operates a certification authority that has a current and successful WebTrust for CAs audit Trust Service Principles and Criteria for Certification Authorities and WebTrust Principles and Criteria for Certification Authorities – CABF SSL Baseline requirements with Network Security audit, based on WebTrust or ETSI 102042 or ETSI 101456 equivalent audit reports prepared by a properly-qualified or accredited auditor, and that actively issues certificates to subordinate CAs that, in turn, actively issue certificates to Web servers that are openly accessible from the Internet using any one of the mainstream browsers.  Applicants that are not actively issuing certificates but otherwise meet membership criteria may be granted Interested Party status for a period of time and participate in meetings, teleconferences, and Member mailing lists, but may not propose or endorse ballots or vote.

(3) Browser: The member organization produces a software product intended for use by the general public for browsing the Web securely.

(b) Applicants should supply the following information:

(1) Confirmation that the applicant satisfies at least one of the membership criteria (and if it satisfies more than one, indication of the single category under which the applicant wishes to apply).

(2) URL of the current qualifying performance audit report.

(3) The organization name, as you wish it to appear on the Forum Web site and in official Forum documents.

(4) URL of the applicant's main Web site.

(5) Names and email addresses of employees who will participate in the Forum mail list.

(6) Emergency contact information for security issues related to certificate trust.

(7) Links or references to issued certificates that demonstrate compliance with all applicable certificate, CRL, and OCSP requirements.

(c) An Applicant shall become a Member once the Forum has determined by vote consensus among the Members during a teleconference or meeting that the Applicant meets all of the requirements of subsection (a) or, upon the request of any Member, by a Ballot among the Members. A vote of Acceptance by consensus shall be determined or a Ballot of the Members shall be held as soon as the Applicant indicates that it has presented all information required under subsection (b) and has responded to all follow-up questions from the Forum and the Member has complied with the requirements of Section 5.5.


Explanation of Bylaw amendments

The amendments do the following (for WebTrust, please read in “or ETSI equivalent”):

1.  Update the old name of WebTrust for CAs to the new name. To be fair not WebTrust should be so explicit and just say ETSI equivalent giving less importance. I´ve removed the whole title of the Webtrust.
2.  Add the requirement of a BR WebTrust audit (since no CA can issue SSL certs today without one, and the BRs are the most important product of the Forum to date – why would a CA want to join the Forum if it can’t or won’t follow the BRs and get a BR WebTrust audit?  Why would we want that CA as a CA Member?)  Again, you´re always focusing on Webtrust. This should be independent of whatever audit certification.

There was some discussion that CAs without a BR WebTrust might want to participate anyway – I doubt that, but they can comment on the public list and join working groups.  There was also discussion that CAs that only issue code signing certs don’t need a BR WebTrust audit under browser rules – to date, no CA issuing only code signing certs has applied to be a Member, so maybe we just wait to see if this ever happens.

The requirement of the certification is done by the browser root programs but being a member of the CABF does not need to follow the same rules. I´d leave it open even I´ve included in the text that has to be certified just to follow the current text. In any case, I´m not opposed but I think is a little bit strange or ridiculous including messages from Peter Bowen all the time saying “posted with permission” or “forwarded with permission”, because at the end, we´re treating them as they were posted by any member.

3.  I was told our old ETSI numbers are no longer valid.  To deal with this into the future, I have changed the language above to “or ETSI equivalent” so the reference will always be valid.
The ETSI numbers are still valid, what I´ve said is that they are going to change. But again, you´re unfair with ETSI, don´t mind indicating the whole title of the Webtrust document but not the ETSI one. To be fair, I´ve just indicated Webtrust or ETSI, I think this is enough. If more detailed is needed, then, we should include the whole text for both not just one. The CABF is not only US centric.

4.  Instead of giving a new CA “observer” status, which is not defined, I followed the suggestion to give the new CA “Interested Party” status, which is defined at Bylaw 3.1.  We get to define the level of participation of various Interested Parties, so we could allow a new CA to participate (but not vote) on all conference calls, meetings, and mail lists, the same as we do for WebTrust and ETSI representatives.

5.  I added the following as an additional item of information that new CAs would have to submit to apply for membership:  “Links or references to issued certificates that demonstrate compliance with all applicable certificate, CRL, and OCSP requirements.”  That is similar to what you were seeking.
Not sure to include the CRL and OCSP requirements, because there are some others that also “apply” or will apply, like CT, CAA, … Are we sure that we want to include terms instead of saying the for example, “status checking requirements”? This way, all of them apply more or less.

6.  Finally, I clarified that new members could be accepted by consensus during a teleconference of meeting of the Members, but that any Member could request a Ballot on acceptance (so if a Member objected, it could take the matter to a vote).  This is roughly what we have been doing.

I welcome comments.

Kirk R. Hall
Operations Director, Trust Services
Trend Micro
+1.503.753.3088




TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.




<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150324/3a6e12bf/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 19121 bytes
Desc: image001.png
Url : https://cabforum.org/pipermail/public/attachments/20150324/3a6e12bf/attachment-0001.png 


More information about the Public mailing list