[cabfpub] Update about S/MIME Charter

Ryan Sleevi sleevi at google.com
Wed Apr 22 19:15:08 UTC 2020

See my earliest comments on the first draft about this -
https://cabforum.org/pipermail/public/2019-January/014517.html shows the
suggested edit and points to

Finally, regarding membership criteria, I'm curious whether it's necessary
> to consider WebTrust for CAs / ETSI at all. For work like this, would it
> make sense to merely specify the requirements for a CA as one that is
> trusted for and actively issues S/MIME certificates that are accepted by a
> Certificate Consumer. This seems to be widely inclusive and can be iterated
> upon if/when improved criteria are developed, if appropriate.
> There's also a bootstrapping issue for membership, in that until we know
> who the accepted Certificate Consumers are, no CA can join as a Certificate
> Issuer. I'm curious whether it makes sense to explicitly bootstrap this in
> the charter or how we'd like to tackle this.

In the current incarnation, it's to simply remove the scheme requirement,
as follows:

A Certificate Issuer eligible for voting membership in the SMCWG MUST have
a publicly-available audit report or attestation statement in accordance
with a publicly-available audit or assessment scheme relevant to the
issuance of S/MIME certificates. This includes, but is not limited to, ...:

Happy to propose draft text to this effect, if this is something that
you're open to addressing.

On Wed, Apr 22, 2020 at 3:03 PM Tim Hollebeek <tim.hollebeek at digicert.com>

> Unintentional, and thanks for calling it out.  I don’t have strong
> feelings on the issue and agree broader participation is a useful goal,
> especially before requirements exist.  Certificate Consumers can, and I
> expect will, have their own opinions on what audits are appropriate and
> necessary once they adopt the requirements.  Do you have a proposed fix?
> -Tim
> *From:* Ryan Sleevi <sleevi at google.com>
> *Sent:* Sunday, April 19, 2020 4:41 PM
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com>; CABforum1 <
> public at cabforum.org>
> *Subject:* Re: [cabfpub] Update about S/MIME Charter
> Looking through the resolved and unresolved aspects, the lack of feedback
> from you meant we still have one unaddressed matter in the draft:
> https://github.com/cabforum/documents/pull/167/files#r392389077
> - The proposed draft charter forbids any CA from participating unless they
> already have particular audit schemes, despite this document not yet
> existing nor being incorporated into audit frameworks. This has been
> repeatedly raised as an issue for the past year, and it would be useful to
> know whether or not this is intentionally not being addressed. It does seem
> that there doesn't need to be restrictions on CA membership until such a
> document is produced (see also
> https://cabforum.org/pipermail/public/2020-March/014917.html )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20200422/efd42247/attachment-0003.html>

More information about the Public mailing list