[cabfpub] Draft SMIME Working Group Charter

Mon Jan 28 12:17:25 MST 2019

The intent was that Forum level membership was the union of all CWG membership criteria.  If you’re able to join a CWG, you’re a Forum member.

I think allowing in unaudited Certificate Issuers would be a huge step backwards.

-Tim

From: Public <public-bounces at cabforum.org> On Behalf Of Wayne Thayer via Public
Sent: Friday, January 25, 2019 2:06 PM
To: Ryan Sleevi <sleevi at google.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Draft SMIME Working Group Charter

On Fri, Jan 25, 2019 at 11:45 AM Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> > wrote:

On Fri, Jan 25, 2019 at 1:37 PM Wayne Thayer <wthayer at mozilla.com <mailto:wthayer at mozilla.com> > wrote:

I agree that we should exclude identity validation from the initial scope of this working group.

On Fri, Jan 25, 2019 at 10:04 AM Ryan Sleevi via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:

Finally, regarding membership criteria, I'm curious whether it's necessary to consider WebTrust for CAs / ETSI at all. For work like this, would it make sense to merely specify the requirements for a CA as one that is trusted for and actively issues S/MIME certificates that are accepted by a Certificate Consumer. This seems to be widely inclusive and can be iterated upon if/when improved criteria are developed, if appropriate.

This would allow a CA that is not eligible for full Forum membership to join this WG as a full member. How would that work? Would we require such an organization to join the Forum as an Interested Party? If the idea is that such an organization wouldn't be required to join the Forum, then I don't believe that was anticipated or intended in the design of the current structure. It's not clear to me that we should permit membership in a CWG without Forum membership. For instance, allowing this may create loopholes in the IPR obligations that are defined and administered at the Forum level.

Ah, drat, thanks for pointing that out, Wayne. You're right that the changes would need to be accompanied by changes the Forum-level bylaws membership, whether to be more explicit (e.g. government issuers w/ their own audit frameworks, as an example, such as the FPKI) or more implicitly inclusive as this proposed. Absent a Bylaw change, it sounds like the most such folks could achieve would be Interested Party in the CWG. Does that match your understanding?

I'm not aware of anything that requires membership in a CWG to be at a level equivalent to that of the Forum, but I do think that is the intent of the bylaws. There may be no harm in having an Interested Party at the Forum level be a full member of a CWG, but I think it would be best for that to be clarified in the bylaws before creating a CWG with looser membership criteria than the Forum.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20190128/d2978888/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20190128/d2978888/attachment.p7s>