[cabfcert_policy] How chunky are our policy updates?

Tim Hollebeek THollebeek at trustwave.com
Wed Oct 7 00:38:02 MST 2015 

Now that we have finally come to the conclusion that there is, in fact, a middle ground between waiting a few years and then submitting a 1000 line ballot, and balloting each and every word individually, I decided to take a quick look yesterday afternoon into whether the changes we have made so far can indeed be divided up cleanly.

My initial impression is that it looks pretty good.  Because of the reorganization to RFC 3647 format, related changes generally tend to be in the same section of the document.  Some examples of potential ballots:

- 3.1 Naming requirements.  The BRs are silent here; we already have five or six new requirements and Ryan would like lots more.  Probably not a good one to start with due to complexity.

- 3.4/4.9 Requirement to authenticate persons making revocation requests

- 4.7 Requirements for Re-key

- Section 5.1: Physical Security.  We have about 8 new requirements; the BRs are silent

- Section 5.2: Trusted Roles.  We have lots of requirements here too; the BRs are silent

- Section 5.3: Background checks, training, and personnel issues

- Section 5.4: Improved audit logging

- Section 6.1.3/6.1.4: public key delivery

- Section 8.3: Auditor's Independence

- Section 9.4: Privacy requirements

There may be other ways of pulling them together into larger or smaller batches.  But it appears to me that a naïve section by section process already does a pretty good job of "chunking" changes into related groups.

Note that the order here is the order that they appear in the RFC format.  It may make more sense to ballot them from less controversial to more controversial instead.

-Tim


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

More information about the Policyreview mailing list