[cabfpub] Draft SMIME Working Group Charter

[Tim Hollebeek]

I’m fine with “or equivalent” exceptions for various use cases, as long as we specify what those are and they accomplish the same goals.  I do have strong opinions about how “*.gov” should be managed, specifically that I don’t think it’s possible to assure that the domain portion of the email is being consistently validated, absent some oversight by some independent entity.

 

For government entities, that may be some regulatory body and/or internal review process instead of a traditional WebTrust/ETSI audit, but we should at least make sure that someone is responsible for making sure appropriate controls are in place.

 

-Tim

 

From: Ryan Sleevi <sleevi at google.com> 
Sent: Monday, January 28, 2019 2:22 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com>
Cc: Wayne Thayer <wthayer at mozilla.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Draft SMIME Working Group Charter

 

 

 

On Mon, Jan 28, 2019 at 2:17 PM Tim Hollebeek <tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com> > wrote:

The intent was that Forum level membership was the union of all CWG membership criteria.  If you’re able to join a CWG, you’re a Forum member.

 

I think allowing in unaudited Certificate Issuers would be a huge step backwards.

 

Note that the proposal was not "unaudited" - merely, that the definition of audit be left to "Certificate Consumer", which participation with is already a required property.

 

For example, some Consumers allow audits by government entities, but then constrain issuance using application-specific means (since, after all, this is a trust anchor). Others allow for equivalent audit schemes at their discretion.

 

Thus, it also runs the risk of being a "step backward" to have members who are bound by various rules (such as an S/MIME Guideline) but that are prevented by the Forum from joining unless they change their business, governance, or auditability model. An example of this concretely is the Federal PKI operated in the US.

 

While for SSL/TLS cases, I may be more inclined to agree, S/MIME represents a particular area where given the nature of the 'localpart' of email addresses (fully in control of the organization), delegated CAs and trust relationships are far more common. For example, I don't have strong opinions on how "*.gov" should be managed, with respect to S/MIME, provided that the domain portion of the email is consistently validated. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20190128/edc392aa/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20190128/edc392aa/attachment.p7s>