[cabfpub] Bylaws: Update Membership Criteria (section 2.1)

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Wed Jan 30 07:21:01 UTC 2019

On 29/1/2019 7:18 μ.μ., Ryan Sleevi wrote:
> Your response seems to suggest that the bar is "Whatever is enough to 
> be trusted by a Certificate Consumer", which is the suggestion I had 
> made elsewhere, as it avoids the ambiguity of the Forum interpreting 
> and/or setting these guidelines, and instead moves to a very objective 
> model that we can use and that can be extended if necessary.
> You suggest it's an exception, but I think it bears repeated 
> reminding: As the Forum looks to undertake "new" work (in the case of 
> S/MIME or Code Signing), where there exist no objective 
> industry-accepted audit criteria, and instead a lose assortment, which 
> includes, but is not limited to, WebTrust for CAs, then I think our 
> definition of membership needs to evolve to reflect that. We cannot 
> take on this 'new' work without figuring out how to include those 
> either affected by or with value to contribute to the discussions. The 
> selection of "Webtrust for CAs" or "ETSI" is merely a codification of 
> existing SSL/TLS Certificate Consumer practice, but it's not robust to 
> handle that new work.
> So, to again put the question back to you: Do you think there's some 
> property, beyond "accepted by a Certificate Consumer", that you feel 
> is essential for the Forum to capture within its membership requirements?

I think I answered this in my last paragraph.

>>     Then by this goal, I don't believe our current membership
>>     criteria meet this. For example, a qualified auditor is
>>     determined by... government regulations in the case of ETSI. Does
>>     that mean we should exclude ETSI audits from the scope? Or should
>>     we allow CABs that are not accredited by the NABs?
>     This doesn't make a lot of sense. NABs are not Supervisory Bodies.
>     It's different. I was referring to government audit schemes for
>     CAs where a certain government unit audits a CA under national
>     criteria.
> Yet the use of ETSI is still regulated.

Then we have different terminology for "regulation". In my understanding 
and interpretation, a "regulation" is a "law" or "obligation" that is 
mandated by local law in a local jurisdiction. In the EU case, it could 
be a law or obligation mandated by a Regulation voted by the European 
Council. NABs set their own rules based on EA requirements and 
international standards.

>>     I realize it may seem like I'm being difficult, but I think
>>     there's a core piece missing, which is trying to understand why
>>     it's important for some members to exclude some other CAs that
>>     have had long-standing operations. This is particularly relevant
>>     for the discussion of the S/MIME charter, in which there is
>>     significant and extant set of 'trusted' certificates, in a
>>     variety of software, that does not meet the criteria for
>>     participation. They would be excluded from participating in
>>     engaging or drafting the new criteria, by virtue of the Forum
>>     membership criteria, and I think that's something we should be
>>     thinking very carefully about and articulating what properties we
>>     expect of CAs and why.
>     IMHO we need audit requirements that have undergone enough
>     scrutiny and quality assurance. International standards like ISO,
>     WebTrust and ETSI have such a process which provides better
>     assurance for the audit outcome. That's my personal view. We can
>     always listen to other schemes and we would welcome input from
>     governments (as Interested Parties) if they choose to participate.
>     If these schemes became so useful and comparable with existing
>     international schemes, then the S/MIME Working Group could decide
>     to add those schemes in the criteria for Membership and possibly
>     in the produced Guidelines.
> I'm trying to understand the /why/ you take that personal view. I see 
> no objective reasoning to support that.

I disagree that for S/MIME there is no set of existing rules. ETSI EN 
319 411-1 (scope LCP, NCP) and AFAIK WebTrust for CAs have been used as 
attestations of adequate level of organizational/technical controls for 
S/MIME, clientAuthentication and Code Signing Certificates.

The main reason I prefer using an international scheme is because it is 
more carefully drafted, usually by experts in that area, and have a good 
and internationally acceptable quality assurance. The auditors 
themselves are assessed by peer reviews (WebTrust) or by NABs (ETSI). 
Local laws and National regulations may not have similar quality level 
but lower. Auditors are usually a government agency. I consider the 
level of audit schemes in the Baseline Requirements to be a good set of 
standards to start with because it sets the bar pretty high from the 
very beginning. In any case, there could be exceptions and there might 
be local laws and regulations that are outstanding and may set the bar 
even higher. We should accept everyone as Interested Parties (we do that 
already) and collaborate to extend our set of audit criteria and audit 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20190130/8714f650/attachment-0003.html>

More information about the Public mailing list