On 3/7/2018 3:36 μμ, Tim Hollebeek via Public wrote: > > This was discussed on the Governance Reform Working Group, and as I > recall, most people agree the distinction probably isn’t useful and is > a historical artifact. But there wasn’t enough motivation to scrap it. > > > > It is intended to support the notion of a company that operates a root > and signs other CA certificates, but doesn’t issue end entity > certificates itself. Such a company is a Root Certificate Issuer but > not a Certificate Issuer. > > >
In addition to that, a company might be operating only a SubCA that they have obtained from another company that operates a RootCA. These companies are also entitled to become Members as a "Certificate Issuer". Dimitris. > -Tim > > > > *From:*Public [mailto:[email protected]] *On Behalf Of > *Adriano Santoni via Public > *Sent:* Tuesday, July 3, 2018 2:41 AM > *To:* [email protected] > *Subject:* Re: [cabfpub] New Server Certificate Working Group > > > > Hi Kirk, > > based on these definitions, it seems to me that most CAs among CABF > members fall into both categories. > > What is the purpose of distinguishing between the two, after all? > > Adriano > > > > > > Il 03/07/2018 01:30, Kirk Hall via Public ha scritto: > > I would look again at the definitions on the two different ways to > participate as a CA. > > > > My guess is that CAs who have and use their own trusted roots will > choose (2) Root Certificate Issuer, while CAs who do not have > their own trusted roots will choose (1) Certificate Issuer, but > I’m not sure on that. The only reason why we are asking Members > to declare their status is just so everyone can know and can > confirm that the Member meets the membership qualifications. > > > > (1) Certificate Issuer: The member organization operates a > certification authority that has a current and successful WebTrust > for CAs audit, or ETSI TS 102042, ETSI 101456, or ETSI EN 319 > 411-1 audit report prepared by a properly-qualified auditor, *_and > that actively issues certificates to Web servers that are openly > accessible from the Internet_*, such certificates being treated as > valid when using a browser created by a Certificate Consumer > Member. Applicants that are not actively issuing certificates but > otherwise meet membership criteria may be granted Associate Member > status under Bylaw Sec. 3.1 for a period of time to be designated > by the Forum. > > > > (2) Root Certificate Issuer: The member organization operates a > certification authority that has a current and successful WebTrust > for CAs, or ETSI TS 102042, ETSI TS 101456, ETSI EN 319 411-1 > audit report prepared by a properly-qualified auditor, *_and that > actively issues certificates to subordinate CAs that, in turn, > actively issue certificates to Web servers_* that are openly > accessible from the Internet, such certificates being treated as > valid when using a browser created by a Certificate Consumer > Member. Applicants that are not actively issuing certificates but > otherwise meet membership criteria may be granted Associate Member > status under Bylaw Sec. 3.1 for a period of time to be designated > by the Forum. > > > > > > *From:* Peter Miškovič [mailto:[email protected]] > *Sent:* Monday, July 2, 2018 2:34 AM > *To:* Kirk Hall <[email protected]> > <mailto:[email protected]> > *Cc:* CA/Browser Forum Public Discussion List > <[email protected]> <mailto:[email protected]>; Ben Wilson > <[email protected]> <mailto:[email protected]> > *Subject:* [EXTERNAL]RE: New Server Certificate Working Group > > > > Hi Kirk, > > could you explain to me difference between (1) and (2)? We are CA > which issue subordinate CAs for our own purpose and from them > actively issues certificates to Web servers. Am I right if > I suppose that we are “Root Certificate Issuer” and not only > “Certificate Issuer”. > > Thanks. > > > > Regards > > Peter > > > > > > > > *From:* Public <[email protected] > <mailto:[email protected]>> *On Behalf Of *Kirk Hall via > Public > *Sent:* Saturday, June 30, 2018 12:26 AM > *To:* Ben Wilson <[email protected] > <mailto:[email protected]>>; CABFPub <[email protected] > <mailto:[email protected]>> > *Subject:* Re: [cabfpub] New Server Certificate Working Group > > > > Ben, on the wiki page you created, _can you add a column_ between > the column “Date of Declaration” and the column “Date of > Withdrawal” and label it “Type”. Then maybe put on the page at > the top a _guide to the three types of Members and the one type of > Associate member_, something like this: > > > > Type > > 1 = Certificate Issuer > > 2 = Root Certificate Issuer > > 3 = Certificate Consumer > > 4 = Associate Member > > > > We probably should also _post these definitions_ on the wiki page > from the Server Certificate Working Group Charter to remind people > what the terms mean. > > > > (1) Certificate Issuer: The member organization operates a > certification authority that has a current and successful WebTrust > for CAs audit, or ETSI TS 102042, ETSI 101456, or ETSI EN 319 > 411-1 audit report prepared by a properly-qualified auditor, and > that actively issues certificates to Web servers that are openly > accessible from the Internet, such certificates being treated as > valid when using a browser created by a Certificate Consumer > Member. Applicants that are not actively issuing certificates but > otherwise meet membership criteria may be granted Associate Member > status under Bylaw Sec. 3.1 for a period of time to be designated > by the Forum. > > > > (2) Root Certificate Issuer: The member organization operates a > certification authority that has a current and successful WebTrust > for CAs, or ETSI TS 102042, ETSI TS 101456, ETSI EN 319 411-1 > audit report prepared by a properly-qualified auditor, and that > actively issues certificates to subordinate CAs that, in turn, > actively issue certificates to Web servers that are openly > accessible from the Internet, such certificates being treated as > valid when using a browser created by a Certificate Consumer > Member. Applicants that are not actively issuing certificates but > otherwise meet membership criteria may be granted Associate Member > status under Bylaw Sec. 3.1 for a period of time to be designated > by the Forum. > > > > (3) A Certificate Consumer can participate in this Working Group > if it produces a software product intended for use by the general > public for browsing the Web securely. > > > > > > > > *From:* Ben Wilson [mailto:[email protected]] > *Sent:* Friday, June 29, 2018 10:24 AM > *To:* CABFPub <[email protected] <mailto:[email protected]>> > *Cc:* Kirk Hall <[email protected] > <mailto:[email protected]>> > *Subject:* [EXTERNAL]New Server Certificate Working Group > > > > Hi All, > > > > As Kirk mentioned during the teleconference call yesterday, we are > in the process of spinning up the Server Certificate Working Group > and will hold our first meeting on July 12. Kirk and I will be > sending out a more formal announcement of that meeting and > solicitation for participation. > > > > However, given that the new Bylaws come into effect early next > week, I felt it was important that we start the transition before > then. I propose that the Forum’s mechanism for formally declaring > participation in the Server Certificate Working Group be that > existing members and interested parties (who have signed the > Agreement for IPR Policy v. 1.3) send an email to Kirk and me, > respectively as Chair and Vice-Chair of the WG, and formally > declare their participation in the WG. (I had contemplated that > everyone might send their email to the public list, but I felt > that all of those emails might clutter your inboxes.) > > > > As a follow up task to this declaration, I’d ask that CABF members > list the name of their organization here > https://cabforum.org/wiki/Server%20Certificate%20Working%20Group > > <https://clicktime.symantec.com/a/1/Z5iksn-Z4giqu5LXjtOy5lvv-EcA82NNDuGQ6LBS_LQ=?d=3adJVR-xxx3LyKCZllNXeplqsmDh9fveYqZ90S9BBWSvewMCMzf02pELaKa8sHkZkuLwTOBalO58w3476pC5A7Q-AXEdm9VLJKdxNeBjQ-NTqz4VKqvzKkC5aao_x3UtdMlYhokgsryTxy62NSrKDtPjUz1qyROMCu39wb778LFBSn6-sYD8JWxgCA7v9ghvSz7L6We0exflf_h2DE7JnXQhd3P1JpQmhCuznX_Ox_Vr_mg1M-TXFdAZKA5yFDXRWs3T0XoveJ2a76oqyaYxfz-XX485di2BsfXWNyMuewqQh8r-AEa53lWpXQFoHo7Jyu2e_RwvEALPPqnq7SoaRi9bkAzeNwT6pA2tMjyPBlq4y0D7wSyRLWml73Mp8DRqZ44h8ZSZcYYsGOff6r6dLkoW9Iirlg%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fwiki%2FServer%2520Certificate%2520Working%2520Group>. > > If you are an interested party, we will add your name as a > participant when we receive your email. > > > > Also, everyone is welcome to subscribe to the WG’s mailing list > here - https://cabforum.org/mailman/listinfo/servercert-wg > > <https://clicktime.symantec.com/a/1/Y1n9kMENF1mFmHFkmnbIKEKsdovpFj7PQ_CxUuCUa3I=?d=3adJVR-xxx3LyKCZllNXeplqsmDh9fveYqZ90S9BBWSvewMCMzf02pELaKa8sHkZkuLwTOBalO58w3476pC5A7Q-AXEdm9VLJKdxNeBjQ-NTqz4VKqvzKkC5aao_x3UtdMlYhokgsryTxy62NSrKDtPjUz1qyROMCu39wb778LFBSn6-sYD8JWxgCA7v9ghvSz7L6We0exflf_h2DE7JnXQhd3P1JpQmhCuznX_Ox_Vr_mg1M-TXFdAZKA5yFDXRWs3T0XoveJ2a76oqyaYxfz-XX485di2BsfXWNyMuewqQh8r-AEa53lWpXQFoHo7Jyu2e_RwvEALPPqnq7SoaRi9bkAzeNwT6pA2tMjyPBlq4y0D7wSyRLWml73Mp8DRqZ44h8ZSZcYYsGOff6r6dLkoW9Iirlg%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg>. > > > > > Thanks, > > > > Ben > > > > > _______________________________________________ > > Public mailing list > > [email protected] <mailto:[email protected]> > > https://cabforum.org/mailman/listinfo/public > > <https://clicktime.symantec.com/a/1/Aj6tpOiWcYYPhDM4-TQA0N-pHeNYuhJUuXgmcPnG8HU=?d=3adJVR-xxx3LyKCZllNXeplqsmDh9fveYqZ90S9BBWSvewMCMzf02pELaKa8sHkZkuLwTOBalO58w3476pC5A7Q-AXEdm9VLJKdxNeBjQ-NTqz4VKqvzKkC5aao_x3UtdMlYhokgsryTxy62NSrKDtPjUz1qyROMCu39wb778LFBSn6-sYD8JWxgCA7v9ghvSz7L6We0exflf_h2DE7JnXQhd3P1JpQmhCuznX_Ox_Vr_mg1M-TXFdAZKA5yFDXRWs3T0XoveJ2a76oqyaYxfz-XX485di2BsfXWNyMuewqQh8r-AEa53lWpXQFoHo7Jyu2e_RwvEALPPqnq7SoaRi9bkAzeNwT6pA2tMjyPBlq4y0D7wSyRLWml73Mp8DRqZ44h8ZSZcYYsGOff6r6dLkoW9Iirlg%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fpublic> > > > > > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
