[cabfpub] Teleconference agenda - CA/B Forum - 2 May 2013

Ben Wilson ben at digicert.com
Tue Apr 30 23:39:06 UTC 2013


Kirk,

To where in the CP are you referring there is a conflict because in the Foreword, page vii, they say that the Reference CP follows RFC 3647?

Thanks,

Ben

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Tuesday, April 30, 2013 4:49 PM
To: jeremy.rowley at digicert.com; ben at digicert.com; public at cabforum.org
Subject: Re: [cabfpub] Teleconference agenda - CA/B Forum - 2 May 2013

 

Just one more point on this – those of us audited to WebTrust already have templates our CPs and CPSs must follow, with the checklists in those templates, so we need to avoid adopting a conflicting template (the NIST document).

 

WebTrust 1.1:The CA discloses its business practices including but not limited to the topics listed in RFC 3647, RFC 2527, or WebTrust for Certification Authorities v1 CA Business Practices Disclosure Criteria (see Appendix A) in its Certification Practice Statement.

 

 

From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com] 
Sent: Tuesday, April 30, 2013 3:14 PM
To: Kirk Hall (RD-US); ben at digicert.com; public at cabforum.org
Subject: RE: [cabfpub] Teleconference agenda - CA/B Forum - 2 May 2013

 

I agree with you, Kirk.  Considering that some of the recommendations made in this document are impractical, difficult to verify, or contribute little to improving the industry, our time will be spent more effectively if we focus on extracting the good points of the document and implementing them as part of the CAB Forum’s existing standards rather than trying to improve or implement the NIST CP as a guideline or requirement.  

 

Jeremy

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Tuesday, April 30, 2013 3:59 PM
To: ben at digicert.com; public at cabforum.org
Subject: Re: [cabfpub] Teleconference agenda - CA/B Forum - 2 May 2013

 

Ben – thanks for sending out the link to the NIST document.  I will miss the first 30 minutes of our call, so let me offer my thoughts on the NIST Reference Certificate Policy, http://csrc.nist.gov/publications/drafts/nistir-7924/draft_nistir_7924.pdf

 

I think it would be a mistake for the Forum to require members to edit their CPs/CPSs to match a NIST template.  I would say that none of the CA breaches to date are the result of inadequate CPs/CPSs as documents, and the more complex a CA’s CPS becomes, the greater chance that it simply becomes wallpaper and won’t be followed with any real fidelity.

 

On the other hand, I DO think it would be very valuable to analyze the NIST CP document for its substantive requirements, especially in security areas, and where appropriate strengthen the existing BRs and our draft Security Guidelines for later incorporation in updated the WebTrust / ETSI audit requirements.

 

Put another way, so long as we extract the best practices from the NIST document and put them in our CA requirements that are annually audited, I don’t think there’s any real need to include them in our CPSs (which are already dense enough and hard for the public to read).

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Tuesday, April 30, 2013 2:41 PM
To: public at cabforum.org
Subject: [cabfpub] Teleconference agenda - CA/B Forum - 2 May 2013

 

All,

 

Here is draft 1 of Thursday’s agenda.  For approximately 20 minutes at the start of the meeting we will have a guest speaker presentation NIST/NSA on the NIST Reference CP.   It is available for review and comment here -- http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-7924.

 

I will send this agenda out again tomorrow to the management list with any revisions and the dial-in information.  Thanks.

 

Sincerely yours,

Ben 

  

 


Time

Start

Stop

Slot

Description

Notes / Presenters

	

(Thur) 2 May 2013

	

0:03

16:00

16:03

1

Roll Call

 

	

0:01

16:03

16:04

2

Agenda Review

 

	

0:20

16:04

16:24

3

Review Reference CP (NIST IR 7294)

Guest speakers from NIST/NSA will review and explain NIST IR 7294

	

0:02

16:24

16:26

4

Approve Minutes of 18 April 2013

Ben's Email on 23 April

	

0:10

16:26

16:36

5

Ballots -  Ballot 99 - Add DSA Keys closes on 3 May 2013 at 21UTC; follow-up on Ballot 89 - Guidelines for Processing EV; proposed Ballot ___ re:  OCSP responders that respond “good” to non-issued certificates

 

	

0:06

16:36

16:42

6

Other Announcements - Date Change for Ankara F2F (September 24-26); recent ITU Actions

 

	

0:10

16:42

16:52

7

NFC Forum proposal to revise “Signature Record Type Definition - Technical Specification” (NFCForum-TS-Signature_RTD-1.0)

Jeremy

	

0:10

16:52

17:02

8

Continued discussion of audit requirements / technical constraints for external subCAs

 

	

0:05

17:02

17:07

9

Mozilla Inclusion Policy and Suspension/CRLReason=certificateHold 

Clarification needed – see email from Gerv on Mozilla dev security policy list 30 Apr. “Re: Update Mozilla policy regarding version 1.1.3 of the BRs?”

	

0:05

17:07

17:12

10

Any Other Business

 

	

0:01

17:12

17:13

11

Next call -- Thurs. May 16th

 

	

0:00

17:13

17:13

12

Adjourn

 

	
							
				
Additional Potential Topics to Discuss

		
				
Updating the CAB Forum Web Site 

		
				
Collaborative work with other groups - IETF, etc.

		
				
Coordinating schedules for updates to Audit Criteria

		
				
OCSP Stapling and Must-Staple Efforts

		
				
Short-Form IPR Agreement

		
				
Code Signing Update

		
				
Baseline Requirement audit issues

		
				
Fixes and updates to BRs or EV Guidelines

		
							

 



 
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

 



 
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130430/24119939/attachment-0003.html>


More information about the Public mailing list