[cabfpub] Teleconference agenda - CA/B Forum - 2 May 2013
Jeremy Rowley
jeremy.rowley at digicert.com
Wed May 1 03:19:22 UTC 2013
Depends on what you mean by “template”. The NIST CP is in a 3647 format and covers the topics required by 3647, but 3647 does not recommend particular practices that a CA should follow. The NIST CP does recommend practices that should be included in each CA’s CP.
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Tuesday, April 30, 2013 6:56 PM
To: ben at digicert.com; jeremy.rowley at digicert.com; public at cabforum.org
Subject: Re: [cabfpub] Teleconference agenda - CA/B Forum - 2 May 2013
I did not compare the NIST template CP/CPS with the RFC 3647 template – but I assume there must be differences in the NIST template, or else why publish the NIST document?!?
However, I could be wrong. If NIST is the same as RFC 3647, then presumably we are all in compliance with NIST already.
From: Ben Wilson [mailto:ben at digicert.com]
Sent: Tuesday, April 30, 2013 4:39 PM
To: Kirk Hall (RD-US); jeremy.rowley at digicert.com; public at cabforum.org
Subject: RE: [cabfpub] Teleconference agenda - CA/B Forum - 2 May 2013
Kirk,
To where in the CP are you referring there is a conflict because in the Foreword, page vii, they say that the Reference CP follows RFC 3647?
Thanks,
Ben
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Tuesday, April 30, 2013 4:49 PM
To: jeremy.rowley at digicert.com; ben at digicert.com; public at cabforum.org
Subject: Re: [cabfpub] Teleconference agenda - CA/B Forum - 2 May 2013
Just one more point on this – those of us audited to WebTrust already have templates our CPs and CPSs must follow, with the checklists in those templates, so we need to avoid adopting a conflicting template (the NIST document).
WebTrust 1.1:The CA discloses its business practices including but not limited to the topics listed in RFC 3647, RFC 2527, or WebTrust for Certification Authorities v1 CA Business Practices Disclosure Criteria (see Appendix A) in its Certification Practice Statement.
From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
Sent: Tuesday, April 30, 2013 3:14 PM
To: Kirk Hall (RD-US); ben at digicert.com; public at cabforum.org
Subject: RE: [cabfpub] Teleconference agenda - CA/B Forum - 2 May 2013
I agree with you, Kirk. Considering that some of the recommendations made in this document are impractical, difficult to verify, or contribute little to improving the industry, our time will be spent more effectively if we focus on extracting the good points of the document and implementing them as part of the CAB Forum’s existing standards rather than trying to improve or implement the NIST CP as a guideline or requirement.
Jeremy
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Tuesday, April 30, 2013 3:59 PM
To: ben at digicert.com; public at cabforum.org
Subject: Re: [cabfpub] Teleconference agenda - CA/B Forum - 2 May 2013
Ben – thanks for sending out the link to the NIST document. I will miss the first 30 minutes of our call, so let me offer my thoughts on the NIST Reference Certificate Policy, http://csrc.nist.gov/publications/drafts/nistir-7924/draft_nistir_7924.pdf
I think it would be a mistake for the Forum to require members to edit their CPs/CPSs to match a NIST template. I would say that none of the CA breaches to date are the result of inadequate CPs/CPSs as documents, and the more complex a CA’s CPS becomes, the greater chance that it simply becomes wallpaper and won’t be followed with any real fidelity.
On the other hand, I DO think it would be very valuable to analyze the NIST CP document for its substantive requirements, especially in security areas, and where appropriate strengthen the existing BRs and our draft Security Guidelines for later incorporation in updated the WebTrust / ETSI audit requirements.
Put another way, so long as we extract the best practices from the NIST document and put them in our CA requirements that are annually audited, I don’t think there’s any real need to include them in our CPSs (which are already dense enough and hard for the public to read).
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Tuesday, April 30, 2013 2:41 PM
To: public at cabforum.org
Subject: [cabfpub] Teleconference agenda - CA/B Forum - 2 May 2013
All,
Here is draft 1 of Thursday’s agenda. For approximately 20 minutes at the start of the meeting we will have a guest speaker presentation NIST/NSA on the NIST Reference CP. It is available for review and comment here -- http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-7924.
I will send this agenda out again tomorrow to the management list with any revisions and the dial-in information. Thanks.
Sincerely yours,
Ben
Time
Start
Stop
Slot
Description
Notes / Presenters
(Thur) 2 May 2013
0:03
16:00
16:03
1
Roll Call
0:01
16:03
16:04
2
Agenda Review
0:20
16:04
16:24
3
Review Reference CP (NIST IR 7294)
Guest speakers from NIST/NSA will review and explain NIST IR 7294
0:02
16:24
16:26
4
Approve Minutes of 18 April 2013
Ben's Email on 23 April
0:10
16:26
16:36
5
Ballots - Ballot 99 - Add DSA Keys closes on 3 May 2013 at 21UTC; follow-up on Ballot 89 - Guidelines for Processing EV; proposed Ballot ___ re: OCSP responders that respond “good” to non-issued certificates
0:06
16:36
16:42
6
Other Announcements - Date Change for Ankara F2F (September 24-26); recent ITU Actions
0:10
16:42
16:52
7
NFC Forum proposal to revise “Signature Record Type Definition - Technical Specification” (NFCForum-TS-Signature_RTD-1.0)
Jeremy
0:10
16:52
17:02
8
Continued discussion of audit requirements / technical constraints for external subCAs
0:05
17:02
17:07
9
Mozilla Inclusion Policy and Suspension/CRLReason=certificateHold
Clarification needed – see email from Gerv on Mozilla dev security policy list 30 Apr. “Re: Update Mozilla policy regarding version 1.1.3 of the BRs?”
0:05
17:07
17:12
10
Any Other Business
0:01
17:12
17:13
11
Next call -- Thurs. May 16th
0:00
17:13
17:13
12
Adjourn
Additional Potential Topics to Discuss
Updating the CAB Forum Web Site
Collaborative work with other groups - IETF, etc.
Coordinating schedules for updates to Audit Criteria
OCSP Stapling and Must-Staple Efforts
Short-Form IPR Agreement
Code Signing Update
Baseline Requirement audit issues
Fixes and updates to BRs or EV Guidelines
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130430/8e3ef91c/attachment-0001.html
More information about the Public
mailing list