[cabfpub] Ballot Forum-11: Creation of S/MIME Certificates Working Group

Thu Feb 6 19:25:20 UTC 2020

On Thu, Feb 6, 2020 at 2:05 PM Wayne Thayer <wthayer at gmail.com> wrote:

> Ryan - Thank you for pointing out the past discussions. it's unfortunate
> that this ballot has lingered for so long and as a result it's possible
> that some of your feedback from a year ago was (unintentionally, I believe)
> "ignored". In reviewing [12], I observe the following:
>  * As noted, most, but not all of your comments relate to identity, an
> issue that is intended to be decided via ballot.
>  * You state "I'll also duplicate them as suggested edits on the doc after
> sending this, to provide more concrete and hopefully productive guidance."
> Did you share a redline with suggested changes?
>

I did, and they're available in the links provided.

>  * Your comment "Finally, regarding membership criteria, I'm curious
> whether it's necessary to consider WebTrust for CAs / ETSI at all." was
> discussed in the thread without reaching agreement.
>

And suggested edits were given to Ben twice on how to address that.

This is actually rather significant, because it's artificially
exclusionary, and does not match how we've bootstrapped other efforts, such
as the Forum itself.

>  * Regarding membership, you also commented "There's also a bootstrapping
> issue for membership, in that until we know who the accepted Certificate
> Consumers are, no CA can join as a Certificate Issuer. I'm curious whether
> it makes sense to explicitly bootstrap this in the charter or how we'd like
> to tackle this." I agree with this concern but is it something that can be
> easily worked around by having Certificate Consumers such as Microsoft and
> Mozilla become the first members of the WG?
>

Define "easily"? The membership definition is circular and intended to
protect CAs' interests, and that's a real problem. A Certificate Consumer
is one who accepts Certificate Issuers in the WG, meaning that if a given
Consumer moves to distrust a given issuer, such action may result in their
removal from the SMCWG, which would happen automatically, while for CAs,
they would merely be suspended.

Beyond that, as suggested, Microsoft and Mozilla cannot qualify as
Certificate Consumers without Certificate Issuers, and CAs cannot qualify
as Certificate Issuers without the existence of Certificate Consumers.
There's no way, valid to the Bylaws, for members to declare their interest,
because they can't meet the qualification, so it's incorrect to suggest
that this is a first-mover problem. This is a bootstrap problem, similar to
the audit, that was flagged in the past.

Of course, the definition of Certificate Issuer also seeks to exclude those
it claims to consider, by imposing a set of audit criteria that's more
restrictive than the proposed scope of the charter. That is, existing
issuers may be considered, but may not participate, if they haven't adopted
one of the specific audit schemes.

These are just the *existing* issues that were discussed. As mentioned,
there was significantly more feedback around other areas of structure and
approach, but we didn't submit those in the hope of a good-faith engagement
with Apple's suggestions. For example, the draft charter introduces a
normative dependency on the Baseline Requirements through its definition of
Qualified Auditor, which is necessary for membership, which means that
participation in the SMCWG is entirely dependent on participation in the
SCWG, such that actions in the SCWG can cause members to be excluded from
the SMCWG.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20200206/fd1867e0/attachment-0003.html>