[cabfpub] Bylaws: Update Membership Criteria (section 2.1)

Ryan Sleevi sleevi at google.com
Tue Jan 29 17:18:19 UTC 2019

On Tue, Jan 29, 2019 at 12:11 PM Dimitris Zacharopoulos <jimmy at it.auth.gr>

> On 29/1/2019 4:56 μ.μ., Ryan Sleevi wrote:
> This isn't theoretical; at least one CA member provides such audits, as
> they use such a third-party datacenter. If the datacenter provided just
> their report, would they qualify? If they don't, then what is the property
> that we're trying to achieve, and why, so that we can do it?
> Would this WebTrust for CAs audit report be sufficient for acceptance in a
> Root Program? I don't think so.  All these years, CA/B Forum Members have
> been accepted by providing WebTrust for CAs and ETSI reports that include
> core PKI procedures. What you describe is probably an exception and we can
> decide how to handle this exception if in fact we ever receive an
> application for participation in a WG with a WebTrust for CAs audit report
> scoping just the physical security of a Datacenter. I'm hope that CA had
> other WebTrust for CAs reports for their other operations.

Unfortunately, this doesn't really answer the question posed, and doesn't
move us closer to understanding.

Your response seems to suggest that the bar is "Whatever is enough to be
trusted by a Certificate Consumer", which is the suggestion I had made
elsewhere, as it avoids the ambiguity of the Forum interpreting and/or
setting these guidelines, and instead moves to a very objective model that
we can use and that can be extended if necessary.

You suggest it's an exception, but I think it bears repeated reminding: As
the Forum looks to undertake "new" work (in the case of S/MIME or Code
Signing), where there exist no objective industry-accepted audit criteria,
and instead a lose assortment, which includes, but is not limited to,
WebTrust for CAs, then I think our definition of membership needs to evolve
to reflect that. We cannot take on this 'new' work without figuring out how
to include those either affected by or with value to contribute to the
discussions. The selection of "Webtrust for CAs" or "ETSI" is merely a
codification of existing SSL/TLS Certificate Consumer practice, but it's
not robust to handle that new work.

So, to again put the question back to you: Do you think there's some
property, beyond "accepted by a Certificate Consumer", that you feel is
essential for the Forum to capture within its membership requirements?

> Then by this goal, I don't believe our current membership criteria meet
> this. For example, a qualified auditor is determined by... government
> regulations in the case of ETSI. Does that mean we should exclude ETSI
> audits from the scope? Or should we allow CABs that are not accredited by
> the NABs?
> This doesn't make a lot of sense. NABs are not Supervisory Bodies. It's
> different. I was referring to government audit schemes for CAs where a
> certain government unit audits a CA under national criteria.

Yet the use of ETSI is still regulated.

> I realize it may seem like I'm being difficult, but I think there's a core
> piece missing, which is trying to understand why it's important for some
> members to exclude some other CAs that have had long-standing operations.
> This is particularly relevant for the discussion of the S/MIME charter, in
> which there is significant and extant set of 'trusted' certificates, in a
> variety of software, that does not meet the criteria for participation.
> They would be excluded from participating in engaging or drafting the new
> criteria, by virtue of the Forum membership criteria, and I think that's
> something we should be thinking very carefully about and articulating what
> properties we expect of CAs and why.
> IMHO we need audit requirements that have undergone enough scrutiny and
> quality assurance. International standards like ISO, WebTrust and ETSI have
> such a process which provides better assurance for the audit outcome.
> That's my personal view. We can always listen to other schemes and we would
> welcome input from governments (as Interested Parties) if they choose to
> participate. If these schemes became so useful and comparable with existing
> international schemes, then the S/MIME Working Group could decide to add
> those schemes in the criteria for Membership and possibly in the produced
> Guidelines.

I'm trying to understand the /why/ you take that personal view. I see no
objective reasoning to support that.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20190129/1cdb8a60/attachment-0003.html>

More information about the Public mailing list