[cabfpub] New Server Certificate Working Group

Tue Jul 3 13:02:12 UTC 2018

On 3/7/2018 3:36 μμ, Tim Hollebeek via Public wrote:
>
> This was discussed on the Governance Reform Working Group, and as I
> recall, most people agree the distinction probably isn’t useful and is
> a historical artifact.  But there wasn’t enough motivation to scrap it.
>
>  
>
> It is intended to support the notion of a company that operates a root
> and signs other CA certificates, but doesn’t issue end entity
> certificates itself.  Such a company is a Root Certificate Issuer but
> not a Certificate Issuer.
>
>  
>

In addition to that, a company might be operating only a SubCA that they
have obtained from another company that operates a RootCA. These
companies are also entitled to become Members as a "Certificate Issuer".

Dimitris.

> -Tim
>
>  
>
> *From:*Public [mailto:public-bounces at cabforum.org] *On Behalf Of
> *Adriano Santoni via Public
> *Sent:* Tuesday, July 3, 2018 2:41 AM
> *To:* public at cabforum.org
> *Subject:* Re: [cabfpub] New Server Certificate Working Group
>
>  
>
> Hi Kirk,
>
> based on these definitions, it seems to me that most CAs among CABF
> members fall into both categories.
>
> What is the purpose of distinguishing between the two, after all?
>
> Adriano
>
>  
>
>  
>
> Il 03/07/2018 01:30, Kirk Hall via Public ha scritto:
>
>     I would look again at the definitions on the two different ways to
>     participate as a CA. 
>
>      
>
>     My guess is that CAs who have and use their own trusted roots will
>     choose (2) Root Certificate Issuer, while CAs who do not have
>     their own trusted roots will choose (1) Certificate Issuer, but
>     I’m not sure on that.  The only reason why we are asking Members
>     to declare their status is just so everyone can know and can
>     confirm that the Member meets the membership qualifications. 
>
>      
>
>     (1) Certificate Issuer: The member organization operates a
>     certification authority that has a current and successful WebTrust
>     for CAs audit, or ETSI TS 102042, ETSI 101456, or ETSI EN 319
>     411-1 audit report prepared by a properly-qualified auditor, *_and
>     that actively issues certificates to Web servers that are openly
>     accessible from the Internet_*, such certificates being treated as
>     valid when using a browser created by a Certificate Consumer
>     Member. Applicants that are not actively issuing certificates but
>     otherwise meet membership criteria may be granted Associate Member
>     status under Bylaw Sec. 3.1 for a period of time to be designated
>     by the Forum.
>
>      
>
>     (2) Root Certificate Issuer: The member organization operates a
>     certification authority that has a current and successful WebTrust
>     for CAs, or ETSI TS 102042, ETSI TS 101456, ETSI EN 319 411-1
>     audit report prepared by a properly-qualified auditor, *_and that
>     actively issues certificates to subordinate CAs that, in turn,
>     actively issue certificates to Web servers_* that are openly
>     accessible from the Internet, such certificates being treated as
>     valid when using a browser created by a Certificate Consumer
>     Member. Applicants that are not actively issuing certificates but
>     otherwise meet membership criteria may be granted Associate Member
>     status under Bylaw Sec. 3.1 for a period of time to be designated
>     by the Forum.
>
>      
>
>      
>
>     *From:* Peter Miškovič [mailto:Peter.Miskovic at disig.sk]
>     *Sent:* Monday, July 2, 2018 2:34 AM
>     *To:* Kirk Hall <Kirk.Hall at entrustdatacard.com>
>     <mailto:Kirk.Hall at entrustdatacard.com>
>     *Cc:* CA/Browser Forum Public Discussion List
>     <public at cabforum.org> <mailto:public at cabforum.org>; Ben Wilson
>     <ben.wilson at digicert.com> <mailto:ben.wilson at digicert.com>
>     *Subject:* [EXTERNAL]RE: New Server Certificate Working Group
>
>      
>
>     Hi Kirk,
>
>     could you explain to me difference between (1) and (2)? We are CA
>     which issue subordinate CAs for our own purpose and from them
>     actively issues certificates to Web servers. Am I right if
>     I suppose that we are “Root Certificate Issuer” and not only
>     “Certificate Issuer”.
>
>     Thanks.
>
>      
>
>     Regards
>
>     Peter
>
>      
>
>      
>
>      
>
>     *From:* Public <public-bounces at cabforum.org
>     <mailto:public-bounces at cabforum.org>> *On Behalf Of *Kirk Hall via
>     Public
>     *Sent:* Saturday, June 30, 2018 12:26 AM
>     *To:* Ben Wilson <ben.wilson at digicert.com
>     <mailto:ben.wilson at digicert.com>>; CABFPub <public at cabforum.org
>     <mailto:public at cabforum.org>>
>     *Subject:* Re: [cabfpub] New Server Certificate Working Group
>
>      
>
>     Ben, on the wiki page you created, _can you add a column_ between
>     the column “Date of Declaration” and the column “Date of
>     Withdrawal” and label it “Type”.  Then maybe put on the page at
>     the top a _guide to the three types of Members and the one type of
>     Associate member_, something like this:
>
>      
>
>     Type
>
>     1 = Certificate Issuer
>
>     2 = Root Certificate Issuer
>
>     3 = Certificate Consumer
>
>     4 = Associate Member
>
>      
>
>     We probably should also _post these definitions_ on the wiki page
>     from the Server Certificate Working Group Charter to remind people
>     what the terms mean.
>
>      
>
>     (1) Certificate Issuer: The member organization operates a
>     certification authority that has a current and successful WebTrust
>     for CAs audit, or ETSI TS 102042, ETSI 101456, or ETSI EN 319
>     411-1 audit report prepared by a properly-qualified auditor, and
>     that actively issues certificates to Web servers that are openly
>     accessible from the Internet, such certificates being treated as
>     valid when using a browser created by a Certificate Consumer
>     Member. Applicants that are not actively issuing certificates but
>     otherwise meet membership criteria may be granted Associate Member
>     status under Bylaw Sec. 3.1 for a period of time to be designated
>     by the Forum.
>
>      
>
>     (2) Root Certificate Issuer: The member organization operates a
>     certification authority that has a current and successful WebTrust
>     for CAs, or ETSI TS 102042, ETSI TS 101456, ETSI EN 319 411-1
>     audit report prepared by a properly-qualified auditor, and that
>     actively issues certificates to subordinate CAs that, in turn,
>     actively issue certificates to Web servers that are openly
>     accessible from the Internet, such certificates being treated as
>     valid when using a browser created by a Certificate Consumer
>     Member. Applicants that are not actively issuing certificates but
>     otherwise meet membership criteria may be granted Associate Member
>     status under Bylaw Sec. 3.1 for a period of time to be designated
>     by the Forum.
>
>      
>
>     (3) A Certificate Consumer can participate in this Working Group
>     if it produces a software product intended for use by the general
>     public for browsing the Web securely.
>
>      
>
>      
>
>      
>
>     *From:* Ben Wilson [mailto:ben.wilson at digicert.com]
>     *Sent:* Friday, June 29, 2018 10:24 AM
>     *To:* CABFPub <public at cabforum.org <mailto:public at cabforum.org>>
>     *Cc:* Kirk Hall <Kirk.Hall at entrustdatacard.com
>     <mailto:Kirk.Hall at entrustdatacard.com>>
>     *Subject:* [EXTERNAL]New Server Certificate Working Group
>
>      
>
>     Hi All,
>
>      
>
>     As Kirk mentioned during the teleconference call yesterday, we are
>     in the process of spinning up the Server Certificate Working Group
>     and will hold our first meeting on July 12.  Kirk and I will be
>     sending out a more formal announcement of that meeting and
>     solicitation for participation.
>
>      
>
>     However, given that the new Bylaws come into effect early next
>     week, I felt it was important that we start the transition before
>     then. I propose that the Forum’s mechanism for formally declaring
>     participation in the Server Certificate Working Group be that
>     existing members and interested parties (who have signed the
>     Agreement for IPR Policy v. 1.3) send an email to Kirk and me,
>     respectively as Chair and Vice-Chair of the WG, and formally
>     declare their participation in the WG. (I had contemplated that
>     everyone might send their email to the public list, but I felt
>     that all of those emails might clutter your inboxes.)
>
>      
>
>     As a follow up task to this declaration, I’d ask that CABF members
>     list the name of their organization here
>     https://cabforum.org/wiki/Server%20Certificate%20Working%20Group
>     <https://clicktime.symantec.com/a/1/Z5iksn-Z4giqu5LXjtOy5lvv-EcA82NNDuGQ6LBS_LQ=?d=3adJVR-xxx3LyKCZllNXeplqsmDh9fveYqZ90S9BBWSvewMCMzf02pELaKa8sHkZkuLwTOBalO58w3476pC5A7Q-AXEdm9VLJKdxNeBjQ-NTqz4VKqvzKkC5aao_x3UtdMlYhokgsryTxy62NSrKDtPjUz1qyROMCu39wb778LFBSn6-sYD8JWxgCA7v9ghvSz7L6We0exflf_h2DE7JnXQhd3P1JpQmhCuznX_Ox_Vr_mg1M-TXFdAZKA5yFDXRWs3T0XoveJ2a76oqyaYxfz-XX485di2BsfXWNyMuewqQh8r-AEa53lWpXQFoHo7Jyu2e_RwvEALPPqnq7SoaRi9bkAzeNwT6pA2tMjyPBlq4y0D7wSyRLWml73Mp8DRqZ44h8ZSZcYYsGOff6r6dLkoW9Iirlg%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fwiki%2FServer%2520Certificate%2520Working%2520Group>. 
>     If you are an interested party, we will add your name as a
>     participant when we receive your email.
>
>      
>
>     Also, everyone is welcome to subscribe to the WG’s mailing list
>     here - https://cabforum.org/mailman/listinfo/servercert-wg
>     <https://clicktime.symantec.com/a/1/Y1n9kMENF1mFmHFkmnbIKEKsdovpFj7PQ_CxUuCUa3I=?d=3adJVR-xxx3LyKCZllNXeplqsmDh9fveYqZ90S9BBWSvewMCMzf02pELaKa8sHkZkuLwTOBalO58w3476pC5A7Q-AXEdm9VLJKdxNeBjQ-NTqz4VKqvzKkC5aao_x3UtdMlYhokgsryTxy62NSrKDtPjUz1qyROMCu39wb778LFBSn6-sYD8JWxgCA7v9ghvSz7L6We0exflf_h2DE7JnXQhd3P1JpQmhCuznX_Ox_Vr_mg1M-TXFdAZKA5yFDXRWs3T0XoveJ2a76oqyaYxfz-XX485di2BsfXWNyMuewqQh8r-AEa53lWpXQFoHo7Jyu2e_RwvEALPPqnq7SoaRi9bkAzeNwT6pA2tMjyPBlq4y0D7wSyRLWml73Mp8DRqZ44h8ZSZcYYsGOff6r6dLkoW9Iirlg%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg>.
>      
>
>      
>
>     Thanks,
>
>      
>
>     Ben
>
>
>
>
>     _______________________________________________
>
>     Public mailing list
>
>     Public at cabforum.org <mailto:Public at cabforum.org>
>
>     https://cabforum.org/mailman/listinfo/public
>     <https://clicktime.symantec.com/a/1/Aj6tpOiWcYYPhDM4-TQA0N-pHeNYuhJUuXgmcPnG8HU=?d=3adJVR-xxx3LyKCZllNXeplqsmDh9fveYqZ90S9BBWSvewMCMzf02pELaKa8sHkZkuLwTOBalO58w3476pC5A7Q-AXEdm9VLJKdxNeBjQ-NTqz4VKqvzKkC5aao_x3UtdMlYhokgsryTxy62NSrKDtPjUz1qyROMCu39wb778LFBSn6-sYD8JWxgCA7v9ghvSz7L6We0exflf_h2DE7JnXQhd3P1JpQmhCuznX_Ox_Vr_mg1M-TXFdAZKA5yFDXRWs3T0XoveJ2a76oqyaYxfz-XX485di2BsfXWNyMuewqQh8r-AEa53lWpXQFoHo7Jyu2e_RwvEALPPqnq7SoaRi9bkAzeNwT6pA2tMjyPBlq4y0D7wSyRLWml73Mp8DRqZ44h8ZSZcYYsGOff6r6dLkoW9Iirlg%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fpublic>
>
>  
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180703/57a4c04d/attachment-0003.html>