[cabf_netsec] Updates to discussion doc on SC28
Neil Dunbar
ndunbar at trustcorsystems.com
Fri Jun 12 08:38:27 MST 2020
Many thanks, David,
I've accepted those changes (and made some minor modifications in return).
All - feedback is gratefully received.
Thanks,
Neil
On 12/06/2020 13:06, David Kluge wrote:
> Thanks Neil.
> I added my comments and suggestions to the doc.
>
> On Thu, Jun 11, 2020 at 6:07 PM Neil Dunbar via Netsec
> <netsec at cabforum.org <mailto:netsec at cabforum.org>> wrote:
>
> All,
>
> In preparation for an SC28v2, hopefully addressing some issues
> highlighted by Ryan S, I've made some changes to the SC28 discussion
> doc; I'd really appreciate it if the endorsers at least could take a
> look and provide me with some feedback?
>
> Changes:
>
> BR 1.6.1 : A definition for the term "Certificate Profile" is
> inserted.
>
> BR 5.4.1 : A requirement to log creation, update and delete of
> Certificate Profiles under a CA Private Key is added. Ryan did a good
> job explaining why this stuff has longer term relevance than might at
> first appear, so I do feel that a requirement to at least log that
> "Certificate Profile X changed to X' on date D under the authorship of
> person P" isn't actually a huge workload on CAs.
>
> BR 5.4.1 : A requirement to log the addition, update and removal of
> software from any CA operating compute is added. As I say in the
> comments, I'm not sure it's actually needed, because I operated under
> the notion that a system description always included a software
> manifest
> and its history - but perhaps I'm wrong?
>
> BR 5.4.3 : Added the requirement that logging for CA lifecycle events
> must continue until either the Private Key is destroyed or the last CA
> Certificate corresponding to that public key expires/is revoked.
> Previously, we operated under the assumption that there was 1 CA
> Private
> Key corresponding to 1 CA Certificate, but that's actually not
> necessarily true. So the language (while horribly clunky) tries to
> capture that.
>
> I'd like to get this out to SCWG as SC28v2 by Monday at the
> latest, but
> ideally Friday, so if you good folks could look at the document
> https://docs.google.com/document/d/1pVrjBKfxYJMPUF_L8egCdyAY-p86Vfe_mEBw_xJyVE8/edit#
> and comment/improve it, I'd be hugely grateful.
>
> Thanks,
>
> Neil
>
>
> _______________________________________________
> Netsec mailing list
> Netsec at cabforum.org <mailto:Netsec at cabforum.org>
> https://lists.cabforum.org/mailman/listinfo/netsec
>
>
>
> --
>
> David Kluge| Technical Program Manager | kluge at google.com
> <mailto:kluge at google.com> | +41 44 668 03 54
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20200612/5f3f41ae/attachment.html>
More information about the Netsec
mailing list