[cabfpub] Next Published Version of Baseline Requirements

Ben Wilson ben at digicert.com
Mon Mar 18 18:38:21 UTC 2013



The WebTrust Task Force has helpful language in version 1.1, Audit Criteria
for Baseline Requirements, which I would like to re-purpose in one of the
title pages for version 1.1.3 of the BRs.  


What if we said?


Implementers' Note:  Version 1.1 of the SSL Baseline Requirements was
published on September 14, 2012.  Version 1.1 of WebTrust's SSL Baseline
Audit Criteria and ETSI Technical Standard Electronic Signatures and
Infrastructures (ESI) 102 042 version 2.3.1 incorporate version 1.1 of these
Baseline Requirements and are currently in effect.  See
http://www.webtrust.org/homepage-documents/item27839.aspx and
42v020301p.pdf.  The CA / Browser Forum continues to improve the Baseline
Requirements, and we encourage all CAs to conform to each revision on the
date specified without awaiting a corresponding update to an applicable
audit criterion.  In the event of a conflict between an existing audit
criterion and a guideline revision, we will communicate with the audit
community and attempt to resolve any uncertainty, and we will respond to
implementation questions directed to questions at cabforum.org.  Our
coordination with compliance auditors will continue as we develop guideline
revision cycles that harmonize with the revision cycles for audit criteria,
the compliance auditing periods and cycles of CAs, and the CA / B Forum's
guideline implementation dates. 


(Also, instead of creating a redline from version 1.0, it should be based on
BR 1.1 because I think that is what was used for ETSI TS 102 042 V2.3.1 (and
certainly for v.1.1 of WebTrust for the BRs) and from my review, the changes
do not make comparison for compliance purposes that difficult.)




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Friday, March 15, 2013 6:14 PM
To: public at cabforum.org
Subject: [cabfpub] Next Published Version of Baseline Requirements




In response to Gerv's email of 28-Jan-2013 ("[cabfpub] CAB Forum Document
Versioning"), and changes related to Ballots 71, 93, 96, and 97, I am
preparing a proposed version 1.1.3 of the Baseline Requirements - see
attached "Document History" table.  Also, to address other comments on that
same "Versioning" thread, and also to address BR Issue 33 - Title Pages -
"No single place to view effective dates", I've created a table of
compliance dates.   Please review both tables on the attached page.  


To further address comments about ongoing improvements to the Baseline
Requirements, I have two more suggestions:  (1) we have room for text on
this page that could explain a little about how to comply with post-v.1.0
versions of the BRs, assuming CAs are audited under WebTrust for CAs- SSL
Baseline Requirements Audit Criteria, V1.0, or ETSI TS 102 042 V2.3.1; and
(2) it will be relatively easy to create a redlined PDF that compares BR v.
1.1.3 to BR v. 1.0, so that anyone looking at a WebTrust or ETSI audit can
determine whether any post-BR v1.0 changes are relevant to their



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130318/37efa045/attachment-0003.html>

More information about the Public mailing list