[cabfpub] Update about S/MIME Charter
Ryan Sleevi
sleevi at google.com
Wed Apr 22 19:15:08 UTC 2020
See my earliest comments on the first draft about this -
https://cabforum.org/pipermail/public/2019-January/014517.html shows the
suggested edit and points to
https://cabforum.org/pipermail/public/2019-January/014521.html
Finally, regarding membership criteria, I'm curious whether it's necessary
> to consider WebTrust for CAs / ETSI at all. For work like this, would it
> make sense to merely specify the requirements for a CA as one that is
> trusted for and actively issues S/MIME certificates that are accepted by a
> Certificate Consumer. This seems to be widely inclusive and can be iterated
> upon if/when improved criteria are developed, if appropriate.
> There's also a bootstrapping issue for membership, in that until we know
> who the accepted Certificate Consumers are, no CA can join as a Certificate
> Issuer. I'm curious whether it makes sense to explicitly bootstrap this in
> the charter or how we'd like to tackle this.
In the current incarnation, it's to simply remove the scheme requirement,
as follows:
A Certificate Issuer eligible for voting membership in the SMCWG MUST have
a publicly-available audit report or attestation statement in accordance
with a publicly-available audit or assessment scheme relevant to the
issuance of S/MIME certificates. This includes, but is not limited to, ...:
Happy to propose draft text to this effect, if this is something that
you're open to addressing.
On Wed, Apr 22, 2020 at 3:03 PM Tim Hollebeek <tim.hollebeek at digicert.com>
wrote:
> Unintentional, and thanks for calling it out. I don’t have strong
> feelings on the issue and agree broader participation is a useful goal,
> especially before requirements exist. Certificate Consumers can, and I
> expect will, have their own opinions on what audits are appropriate and
> necessary once they adopt the requirements. Do you have a proposed fix?
>
>
>
> -Tim
>
>
>
> *From:* Ryan Sleevi <sleevi at google.com>
> *Sent:* Sunday, April 19, 2020 4:41 PM
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com>; CABforum1 <
> public at cabforum.org>
> *Subject:* Re: [cabfpub] Update about S/MIME Charter
>
>
>
> Looking through the resolved and unresolved aspects, the lack of feedback
> from you meant we still have one unaddressed matter in the draft:
>
>
>
> https://github.com/cabforum/documents/pull/167/files#r392389077
>
> - The proposed draft charter forbids any CA from participating unless they
> already have particular audit schemes, despite this document not yet
> existing nor being incorporated into audit frameworks. This has been
> repeatedly raised as an issue for the past year, and it would be useful to
> know whether or not this is intentionally not being addressed. It does seem
> that there doesn't need to be restrictions on CA membership until such a
> document is produced (see also
> https://cabforum.org/pipermail/public/2020-March/014917.html )
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20200422/efd42247/attachment-0002.html>
More information about the Public
mailing list