[cabfpub] Bylaws: Update Membership Criteria (section 2.1)

Wed Jan 30 16:56:40 UTC 2019

On 30/1/2019 5:59 μ.μ., Ryan Sleevi wrote:
>
>
[...]
>
> The goal of a WG - S/MIME or Code Signing - is not to produce 
> something that CAs like or even agree with. It's to produce a set of 
> criteria that reflect the participating Certificate Consumers needs, 
> so that they can then require it for participation in their Root 
> Programs. If the requirements do not meet their needs, such Consumers 
> can choose not to require them. Similarly, such Consumers can impose 
> their own requirements above and beyond. In both situations, it seems 
> extremely valuable to support as diverse and varied as possible a set 
> of participants, to provide feedback for Certificate Consumers in 
> developing and imposing requirements for their programs. I don't see 
> how the possession of a WebTrust for CAs audit, over, say, 
> participation in the US Federal PKI, fundamentally improves the 
> quality of discourse or feedback. This is especially true if the 
> consequence of developing and imposing such standards may result in 
> presently-accepted Certificate Consumers from being excluded from 
> participation in the future - that's all the more reason to want to 
> ensure their views and voices are consistently and equally represented.

I think I mentioned this already that the WG should and will be open to 
Interested Parties bringing new and improved ideas for the development 
of S/MIME guidelines and if they come from a particular audit scheme 
that is currently unknown but otherwise meets the same level of our 
"known" audit schemes, I don't believe the WG would have a problem 
expanding the list of acceptable audit schemes for Certificate Issuers.

If we go back to some old Baseline Requirements 
<https://cabforum.org/wp-content/uploads/BRv1.2.5.pdf>, there were more 
audit schemes allowed:

"A scheme that audits conformance to ISO 21188:2006; or
4. If a Government CA is required by its Certificate Policy to use a 
different internal audit scheme, it MAY use such scheme provided that 
the audit either (a) encompasses all requirements of one of the above 
schemes or (b) consists of comparable criteria that are available for 
public review.

Whichever scheme is chosen, it MUST incorporate periodic monitoring 
and/or accountability procedures to ensure that its audits continue to 
be conducted in accordance with the requirements of the scheme.

The audit MUST be conducted by a Qualified Auditor, as specified in 
Section 17.6. "

Why were these audit schemes dismissed? The CA/B Forum was working with 
Code Signing at the time and developed EV Code Signing Guidelines. At 
the same time, the CA/B Forum's Bylaws never had these other schemes 
allowed, even from the very beginning 
<https://cabforum.org/wp-content/uploads/CA-Browser-Forum-Bylaws-v.-1.0-Ballot-98.pdf>.

I'm afraid I don't have anything new to add for this issue and will 
happily let others state their opinion, especially members who were 
engaged from the beginning and can probably better explanation why there 
were different audit criteria in the guidelines and different for CA/B 
Forum participation.

Dimitris.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20190130/849306f3/attachment-0003.html>