<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>“…the requirements themselves are problematic for a variety of reasons, though well-intentioned. As Gerv suggested, I owe the Forum a more detailed write-up of these concerns if we are going to treat them as "Good".”<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Have you had a chance to come up with this write-up? If not, I’m hoping you might be able to do so before the next F2F in Feb if possible. While we are no longer looking to integrate the 2 docs, it would be helpful to understand what specific issues Google has with the NetSec document as it is (per your note), a requirement in the audit regimes. Although Google may not expect CAs to follow it, other browser programs will rely on the specific audit and would likely call into question a non-compliance. (I note that Opera and Mozilla voted for ballot 83). The Policy working group is therefore interested in your comments on the document.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Tuesday, September 15, 2015 12:56 PM<br><b>To:</b> Dean Coclin<br><b>Cc:</b> richard.smith@comodo.com; Gervase Markham; public@cabforum.org<br><b>Subject:</b> Re: [cabfpub] Cert Policy Working Group activity<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Tue, Sep 15, 2015 at 12:39 PM, Dean Coclin <<a href="mailto:Dean_Coclin@symantec.com" target="_blank">Dean_Coclin@symantec.com</a>> wrote:<o:p></o:p></p><p class=MsoNormal>The comments essentially break down into 2 types:<br>1. Insuring that any new language added is reviewed and perhaps balloted by<br>the entire forum (comments from Bruce, Rick, Kirk)<br>2. Determining whether the network security guidelines should be merged<br>(Gerv's comment)<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Apologies that silence may be seen as no feelings, but Google definitely agrees with Gerv regarding a preference for non-integration.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>During the Google-hosted Mountain View F2F in February of last year, I highlighted several of the practical concerns and problems with these documents. While the adoption of the documents within the CA/B Forum was handled via Ballot 83 ( <a href="https://cabforum.org/2012/08/03/ballot-83-adopt-network-and-certificate-system-security-requirements/">https://cabforum.org/2012/08/03/ballot-83-adopt-network-and-certificate-system-security-requirements/</a> ), the requirements themselves are problematic for a variety of reasons, though well-intentioned.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>As Gerv suggested, I owe the Forum a more detailed write-up of these concerns if we are going to treat them as "Good". The non-adoption/non-requirement by root programs, at the time, left me largely ambivalent as to the need or importance of communicating these, but the unfortunate integration into both ETSI and the WebTrust guidelines perhaps makes this a more necessary function.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Regardless of their integration status in audits, they're not something we (Google) expect CAs to follow, and have been growing concerned with their interpretation and application, preventing what we view as more secure ways of managing networks from being explored.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>In the interim, it would be quite beneficial to these aims to NOT integrate the NetSec requirements, and to take advantage of the opportunities presented in #1, which as we discussed during the Zurich F2F, there is more than enough ample opportunity to improve things. For example, the Policy WG could consider some of the recent Policy Reviews that have occurred on the mozilla.dev.security.policy mailing list ( <a href="https://groups.google.com/forum/#!forum/mozilla.dev.security.policy">https://groups.google.com/forum/#!forum/mozilla.dev.security.policy</a> ) regarding issues with the structure and quality of CP/CPS for applicants and renewals within the Mozilla Root Program as points that the Forum may provide appropriate guidance on.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Example policy reviews:<o:p></o:p></p></div><div><p class=MsoNormal>* SECOM - <a href="https://groups.google.com/d/msg/mozilla.dev.security.policy/LRLkWliCIec/EAGOTubkFwAJ">https://groups.google.com/d/msg/mozilla.dev.security.policy/LRLkWliCIec/EAGOTubkFwAJ</a><o:p></o:p></p></div><div><p class=MsoNormal>* WISeKey - <a href="https://groups.google.com/d/msg/mozilla.dev.security.policy/U_uy68U7E7o/PIM9tFTdGAAJ">https://groups.google.com/d/msg/mozilla.dev.security.policy/U_uy68U7E7o/PIM9tFTdGAAJ</a><o:p></o:p></p></div><div><p class=MsoNormal>* SSC - <a href="https://groups.google.com/d/msg/mozilla.dev.security.policy/W0st0yN9bTM/14_-nZ7jGAAJ">https://groups.google.com/d/msg/mozilla.dev.security.policy/W0st0yN9bTM/14_-nZ7jGAAJ</a><o:p></o:p></p></div><div><p class=MsoNormal>* LuxTrust - <a href="https://groups.google.com/d/msg/mozilla.dev.security.policy/47Jz7f8E4RI/ACHCpG2KCpYJ">https://groups.google.com/d/msg/mozilla.dev.security.policy/47Jz7f8E4RI/ACHCpG2KCpYJ</a><o:p></o:p></p></div><div><p class=MsoNormal>* Certinomis - <a href="https://groups.google.com/d/msg/mozilla.dev.security.policy/B44zk_YO9zE/lyfaXpVXP4MJ">https://groups.google.com/d/msg/mozilla.dev.security.policy/B44zk_YO9zE/lyfaXpVXP4MJ</a><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Many of these concerns I echo'd during the Policy WG discussions, but perhaps this provides a more convenient venue for member CAs and for members of the Policy WG to consider.<o:p></o:p></p></div></div></div></div></div></body></html>