[cabf_netsec] Updates to discussion doc on SC28

Neil Dunbar ndunbar at trustcorsystems.com
Fri Jun 12 08:38:27 MST 2020


Many thanks, David,

I've accepted those changes (and made some minor modifications in return).

All - feedback is gratefully received.

Thanks,

Neil

On 12/06/2020 13:06, David Kluge wrote:
> Thanks Neil. 
> I added my comments and suggestions to the doc.
>
> On Thu, Jun 11, 2020 at 6:07 PM Neil Dunbar via Netsec
> <netsec at cabforum.org <mailto:netsec at cabforum.org>> wrote:
>
>     All,
>
>     In preparation for an SC28v2, hopefully addressing some issues
>     highlighted by Ryan S, I've made some changes to the SC28 discussion
>     doc; I'd really appreciate it if the endorsers at least could take a
>     look and provide me with some feedback?
>
>     Changes:
>
>     BR 1.6.1 : A definition for the term "Certificate Profile" is
>     inserted.
>
>     BR 5.4.1 : A requirement to log creation, update and delete of
>     Certificate Profiles under a CA Private Key is added. Ryan did a good
>     job explaining why this stuff has longer term relevance than might at
>     first appear, so I do feel that a requirement to at least log that
>     "Certificate Profile X changed to X' on date D under the authorship of
>     person P" isn't actually a huge workload on CAs.
>
>     BR 5.4.1 : A requirement to log the addition, update and removal of
>     software from any CA operating compute is added. As I say in the
>     comments, I'm not sure it's actually needed, because I operated under
>     the notion that a system description always included a software
>     manifest
>     and its history - but perhaps I'm wrong?
>
>     BR 5.4.3 : Added the requirement that logging for CA lifecycle events
>     must continue until either the Private Key is destroyed or the last CA
>     Certificate corresponding to that public key expires/is revoked.
>     Previously, we operated under the assumption that there was 1 CA
>     Private
>     Key corresponding to 1 CA Certificate, but that's actually not
>     necessarily true. So the language (while horribly clunky) tries to
>     capture that.
>
>     I'd like to get this out to SCWG as SC28v2 by Monday at the
>     latest, but
>     ideally Friday, so if you good folks could look at the document
>     https://docs.google.com/document/d/1pVrjBKfxYJMPUF_L8egCdyAY-p86Vfe_mEBw_xJyVE8/edit#
>     and comment/improve it, I'd be hugely grateful.
>
>     Thanks,
>
>     Neil
>
>
>     _______________________________________________
>     Netsec mailing list
>     Netsec at cabforum.org <mailto:Netsec at cabforum.org>
>     https://lists.cabforum.org/mailman/listinfo/netsec
>
>
>
> -- 
>
> David Kluge| Technical Program Manager | kluge at google.com
> <mailto:kluge at google.com> |  +41 44 668 03 54
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20200612/5f3f41ae/attachment.html>


More information about the Netsec mailing list