[Cscwg-public] NetSec version in CSBR references

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Tue Nov 14 12:07:40 UTC 2023 


On 6/11/2023 9:08 μ.μ., Bruce Morton via Cscwg-public wrote:
>
> Can we remove the version number for the NetSec requirements as listed 
> in CSBR section 1.6.3? I think our goal should be to meet the latest 
> version of the NetSec requirements. CAs which want to monitor or stay 
> ahead of the NetSec requirement changes, can join the NetSec Working 
> Group.
>

While I understand the challenges of having to meet potentially two 
different versions of the NetSec depending on the type of certificates 
offered, I am more scared of the compliance and audit obligations by 
directly pointing to a version-less NetSec document.

Just like we point to a specific version of the EV Guidelines, for 
consistency reasons I think we should point to a specific version of the 
NetSec until we revisit our position (policy) towards this problem for 
both external references.

Dimitris.

> Bruce.
>
> *From:*Servercert-wg <servercert-wg-bounces at cabforum.org> *On Behalf 
> Of *Inigo Barreira via Servercert-wg
> *Sent:* Monday, November 6, 2023 10:49 AM
> *To:* Tobias S. Josefowitz <tobij at opera.com>
> *Cc:* CA/B Forum Server Certificate WG Public Discussion List 
> <servercert-wg at cabforum.org>
> *Subject:* [EXTERNAL] Re: [Servercert-wg] Ballot SC-066: Fall 2023 
> Clean-up v3
>
> Thanks for the clarification, for me it´s not a problem to leave the 
> NetSec version number as it is now, v1. 7, and therefore apply #423 as 
> initially proposed. I will make the correspondent changes and will 
> provide a new version unless someone
>
> Thanks for the clarification, for me it´s not a problem to leave the 
> NetSec version number as it is now, v1.7, and therefore apply #423 as 
> initially proposed. I will make the correspondent changes and will 
> provide a new version unless someone else speaks up and have a 
> different view or proposal.
> OTOH, and FWIW, I´ve seen that while the CS BRs is the same as in the 
> TLS BRs but the SMIME BRs have the version 1.7 "or later".
> Regards
> -----Mensaje original-----
> De: Tobias S. Josefowitz <tobij at opera.com>
> Enviado el: lunes, 6 de noviembre de 2023 16:30
> Para: Inigo Barreira <Inigo.Barreira at sectigo.com>
> CC: CA/B Forum Server Certificate WG Public Discussion List 
> <servercert-wg at cabforum.org>
> Asunto: RE: [Servercert-wg] Ballot SC-066: Fall 2023 Clean-up v3
> CAUTION: This email originated from outside of the organization. Do 
> not click links or open attachments unless you recognize the sender 
> and know the content is safe.
> Hi Inigo,
> On Mon, 6 Nov 2023, Inigo Barreira wrote:
> > Not sure what you are requesting, to not consider the issue #423 and
> > remove the version number of the NetSec or that this change can´t be
> > considered a "clean-up" ballot and should go on a different one. Or
> > none of these ?
> Both. Let me re-state my original points with all the possible clarity:
> First, this seems to be a highly significant change relating to 
> something that has rightly been identified as sensitive around the 
> formation of the NetSec WG.
> Second, since this is such a highly significant change, if it were to 
> be made, it should not be made in a "Clean-up" Ballot. (For what it is 
> worth, I do not think that this change should be made at all.)
> > When the #423 was discussed, and Dimitris indicated in the proposal,
> > was to remove the version numbers to avoid pointing to old or
> > deprecated versions because everytime there was a new version of the
> > NetSec, the TLS BRs should change/update and point to the new version.
> > Dimitris indicated in the text that we could leave the version of the
> > NetSec but I think that we agreed during the call to also remove that
> > version number. Maybe someone else can clarify or remember what was
> > agreed. If it was decided to keep the version number for the NetSec,
> > this can be reverted.
> I can understand that the significance of this change could easily be 
> missed during a Meeting situation. Luckily we have the opportunity in 
> the Ballot process to address such questions before a Ballot goes to vote.
> Tobi
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://urldefense.com/v3/__https://lists.cabforum.org/mailman/listinfo/servercert-wg__;!!FJ-Y8qCqXTj2!aghEKS2hdEJo8MwPIZkWcBg6Yv88NKrtXtgsLkhEFCeOlmLwyQKQP653DVbM_gawEQ6vnvlpfqo9XKYElbDzRWzD_8JVqg$ 
> <https://urldefense.com/v3/__https:/lists.cabforum.org/mailman/listinfo/servercert-wg__;!!FJ-Y8qCqXTj2!aghEKS2hdEJo8MwPIZkWcBg6Yv88NKrtXtgsLkhEFCeOlmLwyQKQP653DVbM_gawEQ6vnvlpfqo9XKYElbDzRWzD_8JVqg$>
> /Any email and files/attachments transmitted with it are intended 
> solely for the use of the individual or entity to whom they are 
> addressed. If this message has been sent to you in error, you must not 
> copy, distribute or disclose of the information it contains. _Please 
> notify Entrust immediately and delete the message from your system._/
>
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20231114/a35f9aa1/attachment.html>

More information about the Cscwg-public mailing list