[cabfpub] Update about S/MIME Charter

Ryan Sleevi sleevi at google.com
Wed Apr 22 12:42:07 MST 2020


https://github.com/sleevi/cabforum-docs/pull/17 so that you can comment and
make additional modifications/edits.

In prepping this, I also spotted an issue with the CABF Bylaws that I'll
feed back to Dimitris' ballot

On Wed, Apr 22, 2020 at 3:27 PM Tim Hollebeek <tim.hollebeek at digicert.com>
wrote:

> I think some people might have objections to “includes, but not limited
> to…” language, but I don’t.  I think it’s sometimes helpful when drafting
> intentionally broad criteria like this to make it explicitly clear that
> common cases like “WebTrust for CAs” or “ETSI …” is indeed “relevant to the
> issuance of S/MIME certificates”.  That could really cut down on the amount
> of confusion about who does or does not qualify for membership, and give
> members clarity when voting for the charter about who is and isn’t allowed
> to participate, while also potentially allowing participation by others
> with less common audit schemes.
>
>
>
> That’s just a more verbose than usual way of me saying that yes, I would
> appreciate draft text along the lines you suggest.
>
>
>
> -Tim
>
>
>
> *From:* Ryan Sleevi <sleevi at google.com>
> *Sent:* Wednesday, April 22, 2020 3:15 PM
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com>
> *Cc:* CABforum1 <public at cabforum.org>
> *Subject:* Re: [cabfpub] Update about S/MIME Charter
>
>
>
> See my earliest comments on the first draft about this -
> https://cabforum.org/pipermail/public/2019-January/014517.html shows the
> suggested edit and points to
> https://cabforum.org/pipermail/public/2019-January/014521.html
>
>
>
> Finally, regarding membership criteria, I'm curious whether it's necessary
> to consider WebTrust for CAs / ETSI at all. For work like this, would it
> make sense to merely specify the requirements for a CA as one that is
> trusted for and actively issues S/MIME certificates that are accepted by a
> Certificate Consumer. This seems to be widely inclusive and can be iterated
> upon if/when improved criteria are developed, if appropriate.
> There's also a bootstrapping issue for membership, in that until we know
> who the accepted Certificate Consumers are, no CA can join as a Certificate
> Issuer. I'm curious whether it makes sense to explicitly bootstrap this in
> the charter or how we'd like to tackle this.
>
>
>
> In the current incarnation, it's to simply remove the scheme requirement,
> as follows:
>
>
>
> A Certificate Issuer eligible for voting membership in the SMCWG MUST have
> a publicly-available audit report or attestation statement in accordance
> with a publicly-available audit or assessment scheme relevant to the
> issuance of S/MIME certificates. This includes, but is not limited to, ...:
>
>
>
> Happy to propose draft text to this effect, if this is something that
> you're open to addressing.
>
>
>
> On Wed, Apr 22, 2020 at 3:03 PM Tim Hollebeek <tim.hollebeek at digicert.com>
> wrote:
>
> Unintentional, and thanks for calling it out.  I don’t have strong
> feelings on the issue and agree broader participation is a useful goal,
> especially before requirements exist.  Certificate Consumers can, and I
> expect will, have their own opinions on what audits are appropriate and
> necessary once they adopt the requirements.  Do you have a proposed fix?
>
>
>
> -Tim
>
>
>
> *From:* Ryan Sleevi <sleevi at google.com>
> *Sent:* Sunday, April 19, 2020 4:41 PM
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com>; CABforum1 <
> public at cabforum.org>
> *Subject:* Re: [cabfpub] Update about S/MIME Charter
>
>
>
> Looking through the resolved and unresolved aspects, the lack of feedback
> from you meant we still have one unaddressed matter in the draft:
>
>
>
> https://github.com/cabforum/documents/pull/167/files#r392389077
>
> - The proposed draft charter forbids any CA from participating unless they
> already have particular audit schemes, despite this document not yet
> existing nor being incorporated into audit frameworks. This has been
> repeatedly raised as an issue for the past year, and it would be useful to
> know whether or not this is intentionally not being addressed. It does seem
> that there doesn't need to be restrictions on CA membership until such a
> document is produced (see also
> https://cabforum.org/pipermail/public/2020-March/014917.html )
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20200422/598f9988/attachment.html>


More information about the Public mailing list