[cabfpub] Ballot Forum-11: Creation of S/MIME Certificates Working Group

Tim Hollebeek tim.hollebeek at digicert.com
Mon Feb 10 21:26:54 UTC 2020 

The bootstrapping issue was discussed extensively during governance reform, and it was noted that there are a number of ways to deal with it, including the one you mention.  

 

-Tim

 

From: Wayne Thayer <wthayer at gmail.com> 
Sent: Thursday, February 6, 2020 2:05 PM
To: Ryan Sleevi <sleevi at google.com>
Cc: CABforum1 <public at cabforum.org>; Tim Hollebeek <tim.hollebeek at digicert.com>; Clint Wilson <clint_wilson at apple.com>
Subject: Re: [cabfpub] Ballot Forum-11: Creation of S/MIME Certificates Working Group

 

Ryan - Thank you for pointing out the past discussions. it's unfortunate that this ballot has lingered for so long and as a result it's possible that some of your feedback from a year ago was (unintentionally, I believe) "ignored". In reviewing [12], I observe the following:

 * As noted, most, but not all of your comments relate to identity, an issue that is intended to be decided via ballot.

 * You state "I'll also duplicate them as suggested edits on the doc after sending this, to provide more concrete and hopefully productive guidance." Did you share a redline with suggested changes?

 * Your comment "Finally, regarding membership criteria, I'm curious whether it's necessary to consider WebTrust for CAs / ETSI at all." was discussed in the thread without reaching agreement.

 * Regarding membership, you also commented "There's also a bootstrapping issue for membership, in that until we know who the accepted Certificate Consumers are, no CA can join as a Certificate Issuer. I'm curious whether it makes sense to explicitly bootstrap this in the charter or how we'd like to tackle this." I agree with this concern but is it something that can be easily worked around by having Certificate Consumers such as Microsoft and Mozilla become the first members of the WG?

 

What other important issues have we "ignored"?

 

- Wayne

 

 

On Wed, Feb 5, 2020 at 4:35 PM Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> > wrote:

Just to make sure the timing is accurate:

 

2018-05 - Tim Hollebeek circulates a draft charter, largely modeled after the code signing charter [1]. 

2018-06 - F2F 44 provides significant discussion on this issue and the potential concerns. [2]

2018-07 - Ballot 208 [3] is finalized, which sets forth the requirements for creating new CWG charters.

2018-10 - F2F 45 reiterates the concerns previously raised [4], with the conclusion being

 

*     Ben – It sounds like the initial charter should focus on three aspects: profile, identity validation of email and identity (host and local part), and private key protection.

*     Kirk Hall, Entrust – Is that enough to start drafting a charter?

*     Ben – Yes, I can start a charter based on those three principles.

2019-01 - Ben Wilson circulates an updated draft for feedback [5]. This draft is substantially more expansive, due to the changes in Ballot 206.

2019-03 - F2F 46 is held in Cupertino. While the minutes show [6] there is still scope issue, a clear and viable path forward, previously raised, is reiterated.

 

Dean – We have a blank slate here and it seems the reluctance was to make it a narrow scope and then focus on either one aspect of SMIME. First task might be how to validate an email, and then focus on identity validation. Some comments were to make the chart narrow to focus on one task while others say to include all proposed tasks to not have to recharter which has caused issues in the past.  

 

2019-06 - F2F 47 is held in Thessaloniki [7], where again we discuss the same topic.

2019-12 - Tim circulates the first draft version [8], the week before Christmas. This is the first version that has been circulated since Ben Wilson's 2019-01 version. Feedback is provided by Wayne [9] to be addressed.

2019-01 - Tim starts the discussion period for this ballot [10]

 

I highlight this timeline, because it does seem somewhat concerning that after significant good faith effort to discuss the issues, these are seemingly intentionally ignored in forcing a vote that intentionally ignores feedback during the discussion period [11]. For example, [10] represents the first time of seeing any draft on how the concerns were raised. Given the significant beneficial edits proposed by Apple, for example, Google did not submit its many procedural and practical concerns with the draft language, on the hope that there would be a good faith effort to engage with and discuss these issues.

 

It's equally concerning that the effort and time spent in communicating on the previous draft, in [5], was entirely ignored in [8], which entirely precipitated the issues in [9]. Substantive issues, such as those raised in [12], were entirely ignored, and are largely orthogonal to the debate about identity but to the very core of the charter.

 

I can understand that, if the view is we are at an impasse, then rough consensus is a path forward. However, it remains deeply disappointing that it seems that virtually all feedback, from a variety of participants, has been ignored, as shown through the minutes and the past proposed changes. That does not seem to be in the spirit of what you've suggested the intent is.

 

[1] https://cabforum.org/pipermail/public/2018-May/013400.html

[2] https://cabforum.org/2018/06/06/minutes-for-ca-browser-forum-f2f-meeting-44-london-6-7-june-2018/

[3] https://cabforum.org/2018/04/03/ballot-206-amendment-to-ipr-policy-bylaws-re-working-group-formation/  

[4] https://cabforum.org/2018/10/18/minutes-for-ca-browser-forum-f2f-meeting-45-shanghai-17-18-october-2018/#6-Creation-of-additional-Working-Groups---Secure-Mail-Other

[5] https://cabforum.org/pipermail/public/2019-January/014517.html

[6] https://cabforum.org/2019/05/03/minutes-for-ca-browser-forum-f2f-meeting-46-cupertino-12-14-march-2019/#Creation-of-additional-Working-Groups---Secure-Mail

[7] https://cabforum.org/2019/08/16/minutes-for-ca-browser-forum-f2f-meeting-47-thessaloniki-12-13-june-2019/#Creation-of-Additional-Groups---Secure-Mail

[8] https://cabforum.org/pipermail/public/2019-December/014838.html

[9] https://cabforum.org/pipermail/public/2019-December/014839.html

[10] https://cabforum.org/pipermail/public/2020-January/014852.html

[11] https://cabforum.org/pipermail/public/2020-February/014865.html

[12] https://cabforum.org/pipermail/public/2019-January/014521.html

 

On Wed, Feb 5, 2020 at 5:45 PM Wayne Thayer <wthayer at gmail.com <mailto:wthayer at gmail.com> > wrote:

Based on my recollection of the Guangzhou discussion, and supported by the minutes, the "path forward agreed to in Guangzhou" was that we would take this charter to a ballot without further attempts to resolve the issue of including identity in the charter's scope. There does not appear to be a path to consensus on this issue, despite the considerable amount of time spent discussing it. I'm unhappy with this approach, but as one of the endorsers, I don't see an alternative other than "take it to a vote" that gets this much-needed WG formed any time soon.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20200210/b0a8f075/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20200210/b0a8f075/attachment-0003.p7s>

More information about the Public mailing list