[cabfcert_policy] Next steps for Policy Working Group

[Peter Bowen]

+policyreview at cabfourm.org

> On Jun 1, 2016, at 6:17 AM, Kirk Hall <Kirk.Hall at entrust.com> wrote:
> 
> At the Face-to-Face meeting in Bilbao, the Policy Working Group discussed possible edits to the Network Security requirements.  As I recall, the WG is trying to do three things simultaneously:
>  
> (1)    Looking at external PKI standards like NIST to see if there are additional provisions we should add to the Network Security requirements
> (2)    Looking at the existing Network Security requirements to decide if they need to be edited (e.g., possibly modifying the current antivirus requirement)
> (3)    Considering migrating the Network Security requirements into the BRs so the requirements are all in one place
>  
> It seems to me that this process will be most successful if we decide what order we want to do (1) through (3) – it’s pretty hard to be doing all three at once.
>  
> What’s the best order for doing this?  Complete (1) first, then (2), then (3)?  Or try to do (1) and (2) at the same time, and only then work on (3)? 

I think the best order is first (2), then (3), then (1).  Changes to the current requirements are best as deltas against the current document.  Then once those are resolved, we merge into the BRs.  Finally we can add brand new content from NIST or elsewhere to the BRs, which is what we have been doing with other sections already.

Thanks,
Peter