CAB Forum meeting report

6 views
Skip to first unread message

Gervase Markham

unread,
May 7, 2007, 2:29:36 PM5/7/07
to
Yesterday and this morning I attended a CA/Browser Forum meeting in San
Francisco. Here are some highlights:

- The Forum voting rules were changed. For votes which affect the
contents of the Guidelines, then we will use an IETF-like system where
there is a 5-day review period and then a 7-day vote, with 66% of CAs
and 50% of browsers voting having to approve for the motion to pass. For
other votes, a simple majority of organisations represented is sufficient.

- Following a day's discussion and amendments, and a few more the
following morning, those present passed a motion that Draft 17 (as it
will be) be formally voted on to see if the Forum agrees it should be
version 1.0 of the Guidelines. The new voting rules will be used. The
review period ends on 10th May at 12pm PST; the voting period therefore
ends at the same time on 17th May. If passed, the guidelines will be
immediately binding.

- The last three drafts are available here:
http://www.mozilla.org/projects/security/certs/ev/guidelines-draft-15.doc
http://www.mozilla.org/projects/security/certs/ev/guidelines-draft-16.doc
http://www.mozilla.org/projects/security/certs/ev/guidelines-draft-17.doc
The Guidelines are maintained as a .doc file (sorry). The draft 15
change markers show changes relating to many of our comments, those for
draft 16 show the changes made on the first day of the meeting, and
those for draft 17 relate to the second day.

- I have updated the wiki page with my comments on each issue which was
raised by us, and how it has been dealt with (or not).
http://wiki.mozilla.org/User:Johnath/EVDraft13ReviewComments

- We need to decide whether this draft is good enough to be version 1.0,
or whether there are still things we object to strongly enough to
require further changes.

- I proposed a motion, which passed unanimously, to admit CAs who only
have an ETSI audit to the CAB Forum. This brings the requirements for
Forum membership broadly in line with the criteria for admission to the
Mozilla root store. (An X9.79-1 audit alone will not get you into the
Forum, but I don't know any CA which just has one of those.)

This is a separate issue from allowing CAs with only an ETSI audit to
take and pass an EV readiness audit, and issue EV certificates - but the
auditors and WebTrust representative present at the meeting indicated
their willingness to a) look at how equivalent the two are, and b) see
whether we can separate the WebTrust EV audit criteria out so that other
auditors could audit against them. So progress has been made there too.

- The CAB Forum is considering eventually taking the Guidelines to a
standards body (although not immediately). Two have been suggested as
possibly appropriate - ICANN and the ISO. Suggested ISO subcommittees
were SC27 WG3, authors of the Common Criteria and SC2 (Financial
Services Security). We should decide whether we would like to suggest
other appropriate bodies.

Gerv

Eddy Nigg (StartCom Ltd.)

unread,
May 7, 2007, 6:04:43 PM5/7/07
to Gervase Markham, dev-se...@lists.mozilla.org
Hi Gerv,

Gervase Markham wrote:
> This is a separate issue from allowing CAs with only an ETSI audit to
> take and pass an EV readiness audit, and issue EV certificates - but the
> auditors and WebTrust representative present at the meeting indicated

> their willingness to a) look at how equivalent the two are, and *b) see


> whether we can separate the WebTrust EV audit criteria out so that other

> auditors could audit against them*. So progress has been made there too.
If section b) is true and correct (and will be implemented), then I
think we indeed progressed a lot here....Please note, that this wasn't
the language of your latest post at
http://wiki.mozilla.org/User:Johnath/EVDraft13ReviewComments of which I
answered...

Is there a way to have them commit to that in some way or form? And what
if they'll just say: "Well, we looked at it and it's not possible" after
you already voted in favor?

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: star...@startcom.org
Phone: +1.213.341.0390

Gervase Markham

unread,
May 8, 2007, 10:55:56 AM5/8/07
to
Eddy Nigg (StartCom Ltd.) wrote:
> Is there a way to have them commit to that in some way or form? And what
> if they'll just say: "Well, we looked at it and it's not possible" after
> you already voted in favor?

I think it's rather unlikely that they would say that, given that we
(i.e. Frank) have done our own analysis of equivalence and they are
pretty similar.

This work will take some time, and we don't think it's correct to hold
up the approval of version 1.0 over this issue.

Gerv

Eddy Nigg (StartCom Ltd.)

unread,
May 8, 2007, 12:04:47 PM5/8/07
to Gervase Markham, dev-se...@lists.mozilla.org
I understand that it will take some time and effort, and I didn't expect
it to be part of the Guidelines right now. Some sort of formal or
informal commitment, to which Mozilla could refer in future might be
fine. I think, that the statement from the previous mail - *to separate
the WebTrust EV audit criteria out, so that other auditors could audit
against them* - would pretty much reflect and be in line with the nature
of Mozilla as an organization and the Mozilla CA policy, which was
specifically created by Frank and the community to allow that type of
openness.

Gerv, maybe you want to update the page at
http://wiki.mozilla.org/User:Johnath/EVDraft13ReviewComments in that
respect? Because it says currently:

/The representatives from WebTrust and the audit firms also said that
they were going to do an equivalence analysis between WebTrust and ETSI
to see whether one could do an WebTrust EV Audit on top of an ETSI audit./

This is certainly not the same, if you compare both statements.

Reply all
Reply to author
Forward
0 new messages