[cabf_netsec] Updates to discussion doc on SC28
David Kluge
kluge at google.com
Fri Jun 12 05:06:13 MST 2020
Thanks Neil.
I added my comments and suggestions to the doc.
On Thu, Jun 11, 2020 at 6:07 PM Neil Dunbar via Netsec <netsec at cabforum.org>
wrote:
> All,
>
> In preparation for an SC28v2, hopefully addressing some issues
> highlighted by Ryan S, I've made some changes to the SC28 discussion
> doc; I'd really appreciate it if the endorsers at least could take a
> look and provide me with some feedback?
>
> Changes:
>
> BR 1.6.1 : A definition for the term "Certificate Profile" is inserted.
>
> BR 5.4.1 : A requirement to log creation, update and delete of
> Certificate Profiles under a CA Private Key is added. Ryan did a good
> job explaining why this stuff has longer term relevance than might at
> first appear, so I do feel that a requirement to at least log that
> "Certificate Profile X changed to X' on date D under the authorship of
> person P" isn't actually a huge workload on CAs.
>
> BR 5.4.1 : A requirement to log the addition, update and removal of
> software from any CA operating compute is added. As I say in the
> comments, I'm not sure it's actually needed, because I operated under
> the notion that a system description always included a software manifest
> and its history - but perhaps I'm wrong?
>
> BR 5.4.3 : Added the requirement that logging for CA lifecycle events
> must continue until either the Private Key is destroyed or the last CA
> Certificate corresponding to that public key expires/is revoked.
> Previously, we operated under the assumption that there was 1 CA Private
> Key corresponding to 1 CA Certificate, but that's actually not
> necessarily true. So the language (while horribly clunky) tries to
> capture that.
>
> I'd like to get this out to SCWG as SC28v2 by Monday at the latest, but
> ideally Friday, so if you good folks could look at the document
>
> https://docs.google.com/document/d/1pVrjBKfxYJMPUF_L8egCdyAY-p86Vfe_mEBw_xJyVE8/edit#
> and comment/improve it, I'd be hugely grateful.
>
> Thanks,
>
> Neil
>
>
> _______________________________________________
> Netsec mailing list
> Netsec at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/netsec
>
--
David Kluge | Technical Program Manager | kluge at google.com | +41 44 668 03
54
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20200612/284ce101/attachment.html>
More information about the Netsec
mailing list