On 29/1/2019 7:18 μ.μ., Ryan Sleevi wrote:
Your response seems to suggest that the bar is "Whatever is enough to
be trusted by a Certificate Consumer", which is the suggestion I had
made elsewhere, as it avoids the ambiguity of the Forum interpreting
and/or setting these guidelines, and instead moves to a very objective
model that we can use and that can be extended if necessary.
You suggest it's an exception, but I think it bears repeated
reminding: As the Forum looks to undertake "new" work (in the case of
S/MIME or Code Signing), where there exist no objective
industry-accepted audit criteria, and instead a lose assortment, which
includes, but is not limited to, WebTrust for CAs, then I think our
definition of membership needs to evolve to reflect that. We cannot
take on this 'new' work without figuring out how to include those
either affected by or with value to contribute to the discussions. The
selection of "Webtrust for CAs" or "ETSI" is merely a codification of
existing SSL/TLS Certificate Consumer practice, but it's not robust to
handle that new work.
So, to again put the question back to you: Do you think there's some
property, beyond "accepted by a Certificate Consumer", that you feel
is essential for the Forum to capture within its membership requirements?
I think I answered this in my last paragraph.
Then by this goal, I don't believe our current membership
criteria meet this. For example, a qualified auditor is
determined by... government regulations in the case of ETSI. Does
that mean we should exclude ETSI audits from the scope? Or should
we allow CABs that are not accredited by the NABs?
This doesn't make a lot of sense. NABs are not Supervisory Bodies.
It's different. I was referring to government audit schemes for
CAs where a certain government unit audits a CA under national
criteria.
Yet the use of ETSI is still regulated.
Then we have different terminology for "regulation". In my understanding
and interpretation, a "regulation" is a "law" or "obligation" that is
mandated by local law in a local jurisdiction. In the EU case, it could
be a law or obligation mandated by a Regulation voted by the European
Council. NABs set their own rules based on EA requirements and
international standards.
I realize it may seem like I'm being difficult, but I think
there's a core piece missing, which is trying to understand why
it's important for some members to exclude some other CAs that
have had long-standing operations. This is particularly relevant
for the discussion of the S/MIME charter, in which there is
significant and extant set of 'trusted' certificates, in a
variety of software, that does not meet the criteria for
participation. They would be excluded from participating in
engaging or drafting the new criteria, by virtue of the Forum
membership criteria, and I think that's something we should be
thinking very carefully about and articulating what properties we
expect of CAs and why.
IMHO we need audit requirements that have undergone enough
scrutiny and quality assurance. International standards like ISO,
WebTrust and ETSI have such a process which provides better
assurance for the audit outcome. That's my personal view. We can
always listen to other schemes and we would welcome input from
governments (as Interested Parties) if they choose to participate.
If these schemes became so useful and comparable with existing
international schemes, then the S/MIME Working Group could decide
to add those schemes in the criteria for Membership and possibly
in the produced Guidelines.
I'm trying to understand the /why/ you take that personal view. I see
no objective reasoning to support that.
I disagree that for S/MIME there is no set of existing rules. ETSI EN
319 411-1 (scope LCP, NCP) and AFAIK WebTrust for CAs have been used as
attestations of adequate level of organizational/technical controls for
S/MIME, clientAuthentication and Code Signing Certificates.
The main reason I prefer using an international scheme is because it is
more carefully drafted, usually by experts in that area, and have a good
and internationally acceptable quality assurance. The auditors
themselves are assessed by peer reviews (WebTrust) or by NABs (ETSI).
Local laws and National regulations may not have similar quality level
but lower. Auditors are usually a government agency. I consider the
level of audit schemes in the Baseline Requirements to be a good set of
standards to start with because it sets the bar pretty high from the
very beginning. In any case, there could be exceptions and there might
be local laws and regulations that are outstanding and may set the bar
even higher. We should accept everyone as Interested Parties (we do that
already) and collaborate to extend our set of audit criteria and audit
schemes.
Dimitris.
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
