[cabfpub] New Server Certificate Working Group

Adriano Santoni adriano.santoni at staff.aruba.it
Tue Jul 3 06:40:52 UTC 2018


Hi Kirk,

based on these definitions, it seems to me that most CAs among CABF 
members fall into both categories.

What is the purpose of distinguishing between the two, after all?

Adriano



Il 03/07/2018 01:30, Kirk Hall via Public ha scritto:
>
> I would look again at the definitions on the two different ways to 
> participate as a CA.
>
> My guess is that CAs who have and use their own trusted roots will 
> choose (2) Root Certificate Issuer, while CAs who do not have their 
> own trusted roots will choose (1) Certificate Issuer, but I’m not sure 
> on that.  The only reason why we are asking Members to declare their 
> status is just so everyone can know and can confirm that the Member 
> meets the membership qualifications.
>
> (1) Certificate Issuer: The member organization operates a 
> certification authority that has a current and successful WebTrust for 
> CAs audit, or ETSI TS 102042, ETSI 101456, or ETSI EN 319 411-1 audit 
> report prepared by a properly-qualified auditor, *_and that actively 
> issues certificates to Web servers that are openly accessible from the 
> Internet_*, such certificates being treated as valid when using a 
> browser created by a Certificate Consumer Member. Applicants that are 
> not actively issuing certificates but otherwise meet membership 
> criteria may be granted Associate Member status under Bylaw Sec. 3.1 
> for a period of time to be designated by the Forum.
>
> (2) Root Certificate Issuer: The member organization operates a 
> certification authority that has a current and successful WebTrust for 
> CAs, or ETSI TS 102042, ETSI TS 101456, ETSI EN 319 411-1 audit report 
> prepared by a properly-qualified auditor, *_and that actively issues 
> certificates to subordinate CAs that, in turn, actively issue 
> certificates to Web servers_* that are openly accessible from the 
> Internet, such certificates being treated as valid when using a 
> browser created by a Certificate Consumer Member. Applicants that are 
> not actively issuing certificates but otherwise meet membership 
> criteria may be granted Associate Member status under Bylaw Sec. 3.1 
> for a period of time to be designated by the Forum.
>
> *From:* Peter Miškovič [mailto:Peter.Miskovic at disig.sk]
> *Sent:* Monday, July 2, 2018 2:34 AM
> *To:* Kirk Hall <Kirk.Hall at entrustdatacard.com>
> *Cc:* CA/Browser Forum Public Discussion List <public at cabforum.org>; 
> Ben Wilson <ben.wilson at digicert.com>
> *Subject:* [EXTERNAL]RE: New Server Certificate Working Group
>
> Hi Kirk,
>
> could you explain to me difference between (1) and (2)? We are CA 
> which issue subordinate CAs for our own purpose and from them actively 
> issues certificates to Web servers. Am I right if I suppose that we 
> are “Root Certificate Issuer” and not only “Certificate Issuer”.
>
> Thanks.
>
> Regards
>
> Peter
>
> *From:* Public <public-bounces at cabforum.org 
> <mailto:public-bounces at cabforum.org>> *On Behalf Of *Kirk Hall via Public
> *Sent:* Saturday, June 30, 2018 12:26 AM
> *To:* Ben Wilson <ben.wilson at digicert.com 
> <mailto:ben.wilson at digicert.com>>; CABFPub <public at cabforum.org 
> <mailto:public at cabforum.org>>
> *Subject:* Re: [cabfpub] New Server Certificate Working Group
>
> Ben, on the wiki page you created, _can you add a column_ between the 
> column “Date of Declaration” and the column “Date of Withdrawal” and 
> label it “Type”.  Then maybe put on the page at the top a _guide to 
> the three types of Members and the one type of Associate member_, 
> something like this:
>
> Type
>
> 1 = Certificate Issuer
>
> 2 = Root Certificate Issuer
>
> 3 = Certificate Consumer
>
> 4 = Associate Member
>
> We probably should also _post these definitions_ on the wiki page from 
> the Server Certificate Working Group Charter to remind people what the 
> terms mean.
>
> (1) Certificate Issuer: The member organization operates a 
> certification authority that has a current and successful WebTrust for 
> CAs audit, or ETSI TS 102042, ETSI 101456, or ETSI EN 319 411-1 audit 
> report prepared by a properly-qualified auditor, and that actively 
> issues certificates to Web servers that are openly accessible from the 
> Internet, such certificates being treated as valid when using a 
> browser created by a Certificate Consumer Member. Applicants that are 
> not actively issuing certificates but otherwise meet membership 
> criteria may be granted Associate Member status under Bylaw Sec. 3.1 
> for a period of time to be designated by the Forum.
>
> (2) Root Certificate Issuer: The member organization operates a 
> certification authority that has a current and successful WebTrust for 
> CAs, or ETSI TS 102042, ETSI TS 101456, ETSI EN 319 411-1 audit report 
> prepared by a properly-qualified auditor, and that actively issues 
> certificates to subordinate CAs that, in turn, actively issue 
> certificates to Web servers that are openly accessible from the 
> Internet, such certificates being treated as valid when using a 
> browser created by a Certificate Consumer Member. Applicants that are 
> not actively issuing certificates but otherwise meet membership 
> criteria may be granted Associate Member status under Bylaw Sec. 3.1 
> for a period of time to be designated by the Forum.
>
> (3) A Certificate Consumer can participate in this Working Group if it 
> produces a software product intended for use by the general public for 
> browsing the Web securely.
>
> *From:* Ben Wilson [mailto:ben.wilson at digicert.com]
> *Sent:* Friday, June 29, 2018 10:24 AM
> *To:* CABFPub <public at cabforum.org <mailto:public at cabforum.org>>
> *Cc:* Kirk Hall <Kirk.Hall at entrustdatacard.com 
> <mailto:Kirk.Hall at entrustdatacard.com>>
> *Subject:* [EXTERNAL]New Server Certificate Working Group
>
> Hi All,
>
> As Kirk mentioned during the teleconference call yesterday, we are in 
> the process of spinning up the Server Certificate Working Group and 
> will hold our first meeting on July 12.  Kirk and I will be sending 
> out a more formal announcement of that meeting and solicitation for 
> participation.
>
> However, given that the new Bylaws come into effect early next week, I 
> felt it was important that we start the transition before then. I 
> propose that the Forum’s mechanism for formally declaring 
> participation in the Server Certificate Working Group be that existing 
> members and interested parties (who have signed the Agreement for IPR 
> Policy v. 1.3) send an email to Kirk and me, respectively as Chair and 
> Vice-Chair of the WG, and formally declare their participation in the 
> WG. (I had contemplated that everyone might send their email to the 
> public list, but I felt that all of those emails might clutter your 
> inboxes.)
>
> As a follow up task to this declaration, I’d ask that CABF members 
> list the name of their organization here 
> https://cabforum.org/wiki/Server%20Certificate%20Working%20Group. If 
> you are an interested party, we will add your name as a participant 
> when we receive your email.
>
> Also, everyone is welcome to subscribe to the WG’s mailing list here - 
> https://cabforum.org/mailman/listinfo/servercert-wg.
>
> Thanks,
>
> Ben
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180703/33fa3c6b/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4025 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180703/33fa3c6b/attachment-0003.p7s>


More information about the Public mailing list