<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>Many thanks, David,</p>
    <p>I've accepted those changes (and made some minor modifications in
      return).</p>
    <p>All - feedback is gratefully received.</p>
    <p>Thanks,</p>
    <p>Neil<br>
    </p>
    <div class="moz-cite-prefix">On 12/06/2020 13:06, David Kluge wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAO5jakBnea2+6KqWJGGmEMdPD3RPqE5UqHAmMeHCpDWvwFTApw@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">Thanks Neil. 
        <div>I added my comments and suggestions to the doc.</div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr" class="gmail_attr">On Thu, Jun 11, 2020 at 6:07
          PM Neil Dunbar via Netsec <<a
            href="mailto:netsec@cabforum.org" moz-do-not-send="true">netsec@cabforum.org</a>>
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0px 0px 0px
          0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">All,<br>
          <br>
          In preparation for an SC28v2, hopefully addressing some issues<br>
          highlighted by Ryan S, I've made some changes to the SC28
          discussion<br>
          doc; I'd really appreciate it if the endorsers at least could
          take a<br>
          look and provide me with some feedback?<br>
          <br>
          Changes:<br>
          <br>
          BR 1.6.1 : A definition for the term "Certificate Profile" is
          inserted.<br>
          <br>
          BR 5.4.1 : A requirement to log creation, update and delete of<br>
          Certificate Profiles under a CA Private Key is added. Ryan did
          a good<br>
          job explaining why this stuff has longer term relevance than
          might at<br>
          first appear, so I do feel that a requirement to at least log
          that<br>
          "Certificate Profile X changed to X' on date D under the
          authorship of<br>
          person P" isn't actually a huge workload on CAs.<br>
          <br>
          BR 5.4.1 : A requirement to log the addition, update and
          removal of<br>
          software from any CA operating compute is added. As I say in
          the<br>
          comments, I'm not sure it's actually needed, because I
          operated under<br>
          the notion that a system description always included a
          software manifest<br>
          and its history - but perhaps I'm wrong?<br>
          <br>
          BR 5.4.3 : Added the requirement that logging for CA lifecycle
          events<br>
          must continue until either the Private Key is destroyed or the
          last CA<br>
          Certificate corresponding to that public key expires/is
          revoked.<br>
          Previously, we operated under the assumption that there was 1
          CA Private<br>
          Key corresponding to 1 CA Certificate, but that's actually not<br>
          necessarily true. So the language (while horribly clunky)
          tries to<br>
          capture that.<br>
          <br>
          I'd like to get this out to SCWG as SC28v2 by Monday at the
          latest, but<br>
          ideally Friday, so if you good folks could look at the
          document<br>
          <a
href="https://docs.google.com/document/d/1pVrjBKfxYJMPUF_L8egCdyAY-p86Vfe_mEBw_xJyVE8/edit#"
            rel="noreferrer" target="_blank" moz-do-not-send="true">https://docs.google.com/document/d/1pVrjBKfxYJMPUF_L8egCdyAY-p86Vfe_mEBw_xJyVE8/edit#</a><br>
          and comment/improve it, I'd be hugely grateful.<br>
          <br>
          Thanks,<br>
          <br>
          Neil<br>
          <br>
          <br>
          _______________________________________________<br>
          Netsec mailing list<br>
          <a href="mailto:Netsec@cabforum.org" target="_blank"
            moz-do-not-send="true">Netsec@cabforum.org</a><br>
          <a href="https://lists.cabforum.org/mailman/listinfo/netsec"
            rel="noreferrer" target="_blank" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/netsec</a><br>
        </blockquote>
      </div>
      <br clear="all">
      <div><br>
      </div>
      -- <br>
      <div dir="ltr" class="gmail_signature">
        <div dir="ltr"><br
            style="color:rgb(136,136,136);font-size:12.8px">
          <div style="font-size:12.8px">
            <div dir="ltr"><font face="'trebuchet ms', sans-serif"><span
style="border-collapse:collapse;font-family:sans-serif;line-height:20px"><span
                    style="border-width:2px 0px
0px;border-style:solid;border-color:rgb(213,15,37);padding-top:2px;margin-top:2px"><font>David
                      Kluge</font><font style="color:rgb(136,136,136)"
                      color="#555555"> |</font></span><span
                    style="color:rgb(85,85,85);border-width:2px 0px
0px;border-style:solid;border-color:rgb(51,105,232);padding-top:2px;margin-top:2px"> Technical
                    Program Manager |</span><span
                    style="color:rgb(85,85,85);border-width:2px 0px
0px;border-style:solid;border-color:rgb(0,153,57);padding-top:2px;margin-top:2px"> <a
                      href="mailto:kluge@google.com" target="_blank"
                      moz-do-not-send="true">kluge@google.com</a> |</span><span
                    style="color:rgb(85,85,85);border-width:2px 0px
0px;border-style:solid;border-color:rgb(238,178,17);padding-top:2px;margin-top:2px"> 
                    +41 44 668 03 54</span></span></font></div>
          </div>
        </div>
      </div>
    </blockquote>
  </body>
</html>