[cabfpub] Ballot 107 - Removing version numbers to WebTrust andETSI standards from CABF Guidelines (EVG and BR)

Ben Wilson ben at digicert.com
Fri Nov 15 19:42:11 UTC 2013


This email is a follow up on withdrawal of Ballot 107 from voting.  I'd like
to discuss this some more before making further efforts to revise the text.


As you might recall, this ballot emerged from discussions this year about
coordinating audit and standards cycles.  Mads suggested we remove specific
WebTrust and ETSI version numbers to prevent potential loopbacks / circular
reasoning that might lead to inconsistent application of audit criteria and
audit results. 

The ballot would remove version numbers and links to specific versions of
audit criteria from EV Guidelines and Baseline Requirements.
 
Because ETSI TS 102 042 comprises different sets of policy requirements for
different types of certificates, both SSL and non-SSL certificates, Mads
suggested that we use the ETSI CP references Domain Validation (DVCP),
Organizational Validation (OVCP), Extended Validation (EVCP) and enhanced
Extended Validation (EVCP+) where relevant.

So, currently I'm thinking:

1- BRs - we delete the entire paragraph "Implementers' Note" on page ii (if
someone wants to start fresh and write an entirely new paragraph, then we
might be able to include guidance along those lines).

2- BRs - we add a note to 3. References stating " (Please refer to the
latest official version of these publications.)"

3 - BRs -we remove references to versions, including the "-2" after FIPS 140
since FIPS 140-3 is now the standard, and the "-3" after FIPS 186 for the
same reason.  

4 - In sections 8 and 17 of the EV Guidelines, we remove "V2.1.1" from ETSI
102 042 and instead say "the then current ETSI 102 042 EV Certificate
Policies (EVCP or EVCP+)."

5-  Do we add or replace any of these with the new "EN" ETSI references,
yet?

Were there any other concerns or issues with Ballot 107 that haven't been
fully addressed?

Thanks,

Ben

-----Original Message-----
From: Sissel Hoel [mailto:Sissel.Hoel at buypass.no] 
Sent: Friday, August 09, 2013 2:08 AM
To: ben at digicert.com
Cc: public at cabforum.org; Mads Egil Henriksveen
Subject: RE: [cabfpub] Ballot 107 - Removing version numbers to WebTrust
andETSI standards from CABF Guidelines (EVG and BR)

Hi Ben.

Please withdraw the ballot for now. 
Mads is on vacation and will be back on next Monday, I am sure you will hear
from him after that.

Regards, Sissel

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: 8. august 2013 20:41
To: 'Gervase Markham'; kirk_hall at trendmicro.com; Mads Egil Henriksveen;
i-barreira at izenpe.net
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 107 - Removing version numbers to WebTrust
andETSI standards from CABF Guidelines (EVG and BR)

Without Kirk's endorsement and the other votes of concern let's consider the
ballot withdrawn for further editing.  

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Gervase Markham
Sent: Thursday, August 08, 2013 9:16 AM
To: ben at digicert.com
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 107 - Removing version numbers to WebTrust
andETSI standards from CABF Guidelines (EVG and BR)

On 30/07/13 16:59, Ben Wilson wrote:
> We could, but we might want to rewrite the paragraph and explain it more.

Mozilla votes NO - see below for why.

Looking at the discussion history for ballot 107, it was proposed, and then
various people provided comments, but it has not been withdrawn or
resubmitted, and voting ends tomorrow. (With one early vote from Trend Micro
and one from GlobalSign being the only current outstanding votes).

I think consideration needs to be given to the feedback provided and so, to
prevent it 'accidentally' passing when most people seem not to have voted,
Mozilla votes NO. We are not against in principle, but we wish to see either
a good explanation of why the proposed changes are not necessary, or the
ballot being withdrawn and updated. If the former is provided before the
deadline, we would certainly consider changing our vote.

Unfortunately, I am not able to be on the call today.

Gerv
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5453 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131115/d8006ed5/attachment.p7s>


More information about the Public mailing list