[cabfpub] New Server Certificate Working Group

Ryan Sleevi sleevi at google.com
Tue Jul 3 14:10:57 UTC 2018


There's a distinction between can and is. These two capture very different
states, in which the "Root Certificate Issuer" encompasses what we
traditionally call "Super-CAs" in the Mozilla terminology.

If the suggestion is that a Super-CA needs to start issuing to end-entities
to join the Forum, that's a step back.
If the suggestion is that a Super-CA can't join the Forum, that's a step
back.

Thus, if you seek to scrap it without doing harm, it's not actually
scrapped - it's just no longer split out into two definitions, but one
unified definition that... allows for both cases. Thus it doesn't really
achieve anything.

On Tue, Jul 3, 2018 at 9:14 AM Tim Hollebeek via Public <public at cabforum.org>
wrote:

> Right, the proposal was to scrap Root Certificate Issuer, since any such
> entity can be a Certificate Issuer if it chooses to do so, and almost all
> do for obvious reasons.
>
>
>
> We actually started down that path a bit before abandoning it.
>
>
>
> -Tim
>
>
>
> *From:* Dimitris Zacharopoulos [mailto:jimmy at it.auth.gr]
> *Sent:* Tuesday, July 3, 2018 9:02 AM
> *To:* Adriano Santoni <adriano.santoni at staff.aruba.it>
> *Cc:* Tim Hollebeek <tim.hollebeek at digicert.com>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> *Subject:* Re: [cabfpub] New Server Certificate Working Group
>
>
>
>
>
> On 3/7/2018 3:36 μμ, Tim Hollebeek via Public wrote:
>
> This was discussed on the Governance Reform Working Group, and as I
> recall, most people agree the distinction probably isn’t useful and is a
> historical artifact.  But there wasn’t enough motivation to scrap it.
>
>
>
> It is intended to support the notion of a company that operates a root and
> signs other CA certificates, but doesn’t issue end entity certificates
> itself.  Such a company is a Root Certificate Issuer but not a Certificate
> Issuer.
>
>
>
>
> In addition to that, a company might be operating only a SubCA that they
> have obtained from another company that operates a RootCA. These companies
> are also entitled to become Members as a "Certificate Issuer".
>
> Dimitris.
>
>
> -Tim
>
>
>
> *From:* Public [mailto:public-bounces at cabforum.org
> <public-bounces at cabforum.org>] *On Behalf Of *Adriano Santoni via Public
> *Sent:* Tuesday, July 3, 2018 2:41 AM
> *To:* public at cabforum.org
> *Subject:* Re: [cabfpub] New Server Certificate Working Group
>
>
>
> Hi Kirk,
>
> based on these definitions, it seems to me that most CAs among CABF
> members fall into both categories.
>
> What is the purpose of distinguishing between the two, after all?
>
> Adriano
>
>
>
>
>
> Il 03/07/2018 01:30, Kirk Hall via Public ha scritto:
>
> I would look again at the definitions on the two different ways to
> participate as a CA.
>
>
>
> My guess is that CAs who have and use their own trusted roots will choose
> (2) Root Certificate Issuer, while CAs who do not have their own trusted
> roots will choose (1) Certificate Issuer, but I’m not sure on that.  The
> only reason why we are asking Members to declare their status is just so
> everyone can know and can confirm that the Member meets the membership
> qualifications.
>
>
>
> (1) Certificate Issuer: The member organization operates a certification
> authority that has a current and successful WebTrust for CAs audit, or ETSI
> TS 102042, ETSI 101456, or ETSI EN 319 411-1 audit report prepared by a
> properly-qualified auditor, *and that actively issues certificates to Web
> servers that are openly accessible from the Internet*, such certificates
> being treated as valid when using a browser created by a Certificate
> Consumer Member. Applicants that are not actively issuing certificates but
> otherwise meet membership criteria may be granted Associate Member status
> under Bylaw Sec. 3.1 for a period of time to be designated by the Forum.
>
>
>
> (2) Root Certificate Issuer: The member organization operates a
> certification authority that has a current and successful WebTrust for CAs,
> or ETSI TS 102042, ETSI TS 101456, ETSI EN 319 411-1 audit report prepared
> by a properly-qualified auditor, *and that actively issues certificates
> to subordinate CAs that, in turn, actively issue certificates to Web
> servers* that are openly accessible from the Internet, such certificates
> being treated as valid when using a browser created by a Certificate
> Consumer Member. Applicants that are not actively issuing certificates but
> otherwise meet membership criteria may be granted Associate Member status
> under Bylaw Sec. 3.1 for a period of time to be designated by the Forum.
>
>
>
>
>
> *From:* Peter Miškovič [mailto:Peter.Miskovic at disig.sk
> <Peter.Miskovic at disig.sk>]
> *Sent:* Monday, July 2, 2018 2:34 AM
> *To:* Kirk Hall <Kirk.Hall at entrustdatacard.com>
> <Kirk.Hall at entrustdatacard.com>
> *Cc:* CA/Browser Forum Public Discussion List <public at cabforum.org>
> <public at cabforum.org>; Ben Wilson <ben.wilson at digicert.com>
> <ben.wilson at digicert.com>
> *Subject:* [EXTERNAL]RE: New Server Certificate Working Group
>
>
>
> Hi Kirk,
>
> could you explain to me difference between (1) and (2)? We are CA which
> issue subordinate CAs for our own purpose and from them actively issues
> certificates to Web servers. Am I right if I suppose that we are “Root
> Certificate Issuer” and not only “Certificate Issuer”.
>
> Thanks.
>
>
>
> Regards
>
> Peter
>
>
>
>
>
>
>
> *From:* Public <public-bounces at cabforum.org> *On Behalf Of *Kirk Hall via
> Public
> *Sent:* Saturday, June 30, 2018 12:26 AM
> *To:* Ben Wilson <ben.wilson at digicert.com>; CABFPub <public at cabforum.org>
> *Subject:* Re: [cabfpub] New Server Certificate Working Group
>
>
>
> Ben, on the wiki page you created, *can you add a column* between the
> column “Date of Declaration” and the column “Date of Withdrawal” and
> label it “Type”.  Then maybe put on the page at the top a *guide to the
> three types of Members and the one type of Associate member*, something
> like this:
>
>
>
> Type
>
> 1 = Certificate Issuer
>
> 2 = Root Certificate Issuer
>
> 3 = Certificate Consumer
>
> 4 = Associate Member
>
>
>
> We probably should also *post these definitions* on the wiki page from
> the Server Certificate Working Group Charter to remind people what the
> terms mean.
>
>
>
> (1) Certificate Issuer: The member organization operates a certification
> authority that has a current and successful WebTrust for CAs audit, or ETSI
> TS 102042, ETSI 101456, or ETSI EN 319 411-1 audit report prepared by a
> properly-qualified auditor, and that actively issues certificates to Web
> servers that are openly accessible from the Internet, such certificates
> being treated as valid when using a browser created by a Certificate
> Consumer Member. Applicants that are not actively issuing certificates but
> otherwise meet membership criteria may be granted Associate Member status
> under Bylaw Sec. 3.1 for a period of time to be designated by the Forum.
>
>
>
> (2) Root Certificate Issuer: The member organization operates a
> certification authority that has a current and successful WebTrust for CAs,
> or ETSI TS 102042, ETSI TS 101456, ETSI EN 319 411-1 audit report prepared
> by a properly-qualified auditor, and that actively issues certificates to
> subordinate CAs that, in turn, actively issue certificates to Web servers
> that are openly accessible from the Internet, such certificates being
> treated as valid when using a browser created by a Certificate Consumer
> Member. Applicants that are not actively issuing certificates but otherwise
> meet membership criteria may be granted Associate Member status under Bylaw
> Sec. 3.1 for a period of time to be designated by the Forum.
>
>
>
> (3) A Certificate Consumer can participate in this Working Group if it
> produces a software product intended for use by the general public for
> browsing the Web securely.
>
>
>
>
>
>
>
> *From:* Ben Wilson [mailto:ben.wilson at digicert.com
> <ben.wilson at digicert.com>]
> *Sent:* Friday, June 29, 2018 10:24 AM
> *To:* CABFPub <public at cabforum.org>
> *Cc:* Kirk Hall <Kirk.Hall at entrustdatacard.com>
> *Subject:* [EXTERNAL]New Server Certificate Working Group
>
>
>
> Hi All,
>
>
>
> As Kirk mentioned during the teleconference call yesterday, we are in the
> process of spinning up the Server Certificate Working Group and will hold
> our first meeting on July 12.  Kirk and I will be sending out a more formal
> announcement of that meeting and solicitation for participation.
>
>
>
> However, given that the new Bylaws come into effect early next week, I
> felt it was important that we start the transition before then. I propose
> that the Forum’s mechanism for formally declaring participation in the
> Server Certificate Working Group be that existing members and interested
> parties (who have signed the Agreement for IPR Policy v. 1.3) send an email
> to Kirk and me, respectively as Chair and Vice-Chair of the WG, and
> formally declare their participation in the WG. (I had contemplated that
> everyone might send their email to the public list, but I felt that all of
> those emails might clutter your inboxes.)
>
>
>
> As a follow up task to this declaration, I’d ask that CABF members list
> the name of their organization here
> https://cabforum.org/wiki/Server%20Certificate%20Working%20Group
> <https://clicktime.symantec.com/a/1/Z5iksn-Z4giqu5LXjtOy5lvv-EcA82NNDuGQ6LBS_LQ=?d=3adJVR-xxx3LyKCZllNXeplqsmDh9fveYqZ90S9BBWSvewMCMzf02pELaKa8sHkZkuLwTOBalO58w3476pC5A7Q-AXEdm9VLJKdxNeBjQ-NTqz4VKqvzKkC5aao_x3UtdMlYhokgsryTxy62NSrKDtPjUz1qyROMCu39wb778LFBSn6-sYD8JWxgCA7v9ghvSz7L6We0exflf_h2DE7JnXQhd3P1JpQmhCuznX_Ox_Vr_mg1M-TXFdAZKA5yFDXRWs3T0XoveJ2a76oqyaYxfz-XX485di2BsfXWNyMuewqQh8r-AEa53lWpXQFoHo7Jyu2e_RwvEALPPqnq7SoaRi9bkAzeNwT6pA2tMjyPBlq4y0D7wSyRLWml73Mp8DRqZ44h8ZSZcYYsGOff6r6dLkoW9Iirlg%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fwiki%2FServer%2520Certificate%2520Working%2520Group>.
> If you are an interested party, we will add your name as a participant when
> we receive your email.
>
>
>
> Also, everyone is welcome to subscribe to the WG’s mailing list here -
> https://cabforum.org/mailman/listinfo/servercert-wg
> <https://clicktime.symantec.com/a/1/Y1n9kMENF1mFmHFkmnbIKEKsdovpFj7PQ_CxUuCUa3I=?d=3adJVR-xxx3LyKCZllNXeplqsmDh9fveYqZ90S9BBWSvewMCMzf02pELaKa8sHkZkuLwTOBalO58w3476pC5A7Q-AXEdm9VLJKdxNeBjQ-NTqz4VKqvzKkC5aao_x3UtdMlYhokgsryTxy62NSrKDtPjUz1qyROMCu39wb778LFBSn6-sYD8JWxgCA7v9ghvSz7L6We0exflf_h2DE7JnXQhd3P1JpQmhCuznX_Ox_Vr_mg1M-TXFdAZKA5yFDXRWs3T0XoveJ2a76oqyaYxfz-XX485di2BsfXWNyMuewqQh8r-AEa53lWpXQFoHo7Jyu2e_RwvEALPPqnq7SoaRi9bkAzeNwT6pA2tMjyPBlq4y0D7wSyRLWml73Mp8DRqZ44h8ZSZcYYsGOff6r6dLkoW9Iirlg%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg>.
>
>
>
>
> Thanks,
>
>
>
> Ben
>
>
>
>
>
> _______________________________________________
>
> Public mailing list
>
> Public at cabforum.org
>
> https://cabforum.org/mailman/listinfo/public <https://clicktime.symantec.com/a/1/Aj6tpOiWcYYPhDM4-TQA0N-pHeNYuhJUuXgmcPnG8HU=?d=3adJVR-xxx3LyKCZllNXeplqsmDh9fveYqZ90S9BBWSvewMCMzf02pELaKa8sHkZkuLwTOBalO58w3476pC5A7Q-AXEdm9VLJKdxNeBjQ-NTqz4VKqvzKkC5aao_x3UtdMlYhokgsryTxy62NSrKDtPjUz1qyROMCu39wb778LFBSn6-sYD8JWxgCA7v9ghvSz7L6We0exflf_h2DE7JnXQhd3P1JpQmhCuznX_Ox_Vr_mg1M-TXFdAZKA5yFDXRWs3T0XoveJ2a76oqyaYxfz-XX485di2BsfXWNyMuewqQh8r-AEa53lWpXQFoHo7Jyu2e_RwvEALPPqnq7SoaRi9bkAzeNwT6pA2tMjyPBlq4y0D7wSyRLWml73Mp8DRqZ44h8ZSZcYYsGOff6r6dLkoW9Iirlg%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fpublic>
>
>
>
>
>
>
> _______________________________________________
>
> Public mailing list
>
> Public at cabforum.org
>
> https://cabforum.org/mailman/listinfo/public <https://clicktime.symantec.com/a/1/va0-el0sph9HBQxfdvxA01Bv3faG1olL2fI6oOJzL-k=?d=49jVblZgqf2Nn10Kcx7KrZdsG1eQaG7qzwTXSolmK2OGHlvQM9yLxuNwLr5L9KQ04egTr438e40dLFO2EmJ1kiFGVdN_JKlgukEnmyk8y7ipKP9arXC53Jt5LeZbPEyPP4QlXyIjwq6Yj4G_1rwlcbOSaojrwzh-x5B2Dv-CAChJFu3J0YhYkMhw-etFxdIiuFPICifgzcn4953J_eul8VWPUv7E_pMeEdYGnmrP-yiLPftqn53Zss1AeKTAfgdk2xZRvg5cqbV2k3zJsA6CadKaP5BR12dLufu79jD-36YxsogMCreAVUZJscIqw-JIXze9YGHe8tQI-5m4XVGvvTrXGRShJEABFM7f_fmCIk0NhhuecWaSt0aOSTSPARuOuq0tsoH-1mE1&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fpublic>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180703/1f0a140c/attachment-0003.html>


More information about the Public mailing list