[cabfpub] Ballot 107 - Removing version numbers to WebTrustandETSI standards from CABF Guidelines (EVG and BR)

i-barreira at izenpe.net i-barreira at izenpe.net
Tue Nov 19 06:00:46 MST 2013 

Just to answer to questions 4 and 5.

4.- I´m Ok, just bear in mind that EVCP+ is for EV code signing certificates

5.- Not yet. We´re publishing the drafts this month for public review and will be published "officially" next year. I´ll give you the dates in the next CABF F2F meeting if possible


Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net
945067705


ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.


-----Mensaje original-----
De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Ben Wilson
Enviado el: viernes, 15 de noviembre de 2013 20:42
Para: public at cabforum.org
Asunto: Re: [cabfpub] Ballot 107 - Removing version numbers to WebTrustandETSI standards from CABF Guidelines (EVG and BR)

This email is a follow up on withdrawal of Ballot 107 from voting.  I'd like to discuss this some more before making further efforts to revise the text.


As you might recall, this ballot emerged from discussions this year about coordinating audit and standards cycles.  Mads suggested we remove specific WebTrust and ETSI version numbers to prevent potential loopbacks / circular reasoning that might lead to inconsistent application of audit criteria and audit results. 

The ballot would remove version numbers and links to specific versions of audit criteria from EV Guidelines and Baseline Requirements.
 
Because ETSI TS 102 042 comprises different sets of policy requirements for different types of certificates, both SSL and non-SSL certificates, Mads suggested that we use the ETSI CP references Domain Validation (DVCP), Organizational Validation (OVCP), Extended Validation (EVCP) and enhanced Extended Validation (EVCP+) where relevant.

So, currently I'm thinking:

1- BRs - we delete the entire paragraph "Implementers' Note" on page ii (if someone wants to start fresh and write an entirely new paragraph, then we might be able to include guidance along those lines).

2- BRs - we add a note to 3. References stating " (Please refer to the latest official version of these publications.)"

3 - BRs -we remove references to versions, including the "-2" after FIPS 140 since FIPS 140-3 is now the standard, and the "-3" after FIPS 186 for the same reason.  

4 - In sections 8 and 17 of the EV Guidelines, we remove "V2.1.1" from ETSI
102 042 and instead say "the then current ETSI 102 042 EV Certificate Policies (EVCP or EVCP+)."

5-  Do we add or replace any of these with the new "EN" ETSI references, yet?

Were there any other concerns or issues with Ballot 107 that haven't been fully addressed?

Thanks,

Ben

-----Original Message-----
From: Sissel Hoel [mailto:Sissel.Hoel at buypass.no]
Sent: Friday, August 09, 2013 2:08 AM
To: ben at digicert.com
Cc: public at cabforum.org; Mads Egil Henriksveen
Subject: RE: [cabfpub] Ballot 107 - Removing version numbers to WebTrust andETSI standards from CABF Guidelines (EVG and BR)

Hi Ben.

Please withdraw the ballot for now. 
Mads is on vacation and will be back on next Monday, I am sure you will hear from him after that.

Regards, Sissel

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: 8. august 2013 20:41
To: 'Gervase Markham'; kirk_hall at trendmicro.com; Mads Egil Henriksveen; i-barreira at izenpe.net
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 107 - Removing version numbers to WebTrust andETSI standards from CABF Guidelines (EVG and BR)

Without Kirk's endorsement and the other votes of concern let's consider the ballot withdrawn for further editing.  

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Thursday, August 08, 2013 9:16 AM
To: ben at digicert.com
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 107 - Removing version numbers to WebTrust andETSI standards from CABF Guidelines (EVG and BR)

On 30/07/13 16:59, Ben Wilson wrote:
> We could, but we might want to rewrite the paragraph and explain it more.

Mozilla votes NO - see below for why.

Looking at the discussion history for ballot 107, it was proposed, and then various people provided comments, but it has not been withdrawn or resubmitted, and voting ends tomorrow. (With one early vote from Trend Micro and one from GlobalSign being the only current outstanding votes).

I think consideration needs to be given to the feedback provided and so, to prevent it 'accidentally' passing when most people seem not to have voted, Mozilla votes NO. We are not against in principle, but we wish to see either a good explanation of why the proposed changes are not necessary, or the ballot being withdrawn and updated. If the former is provided before the deadline, we would certainly consider changing our vote.

Unfortunately, I am not able to be on the call today.

Gerv
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list