[cabfpub] Ballot 107 - Removing version numbers to WebTrustandETSI standards from CABF Guidelines (EVG and BR)
Just to answer to questions 4 and 5.
4.- I´m Ok, just bear in mind that EVCP+ is for EV code signing certificates
5.- Not yet. We´re publishing the drafts this month for public review and will be published "officially" next year. I´ll give you the dates in the next CABF F2F meeting if possible
This email is a follow up on withdrawal of Ballot 107 from voting. I'd like to discuss this some more before making further efforts to revise the text.
As you might recall, this ballot emerged from discussions this year about coordinating audit and standards cycles. Mads suggested we remove specific WebTrust and ETSI version numbers to prevent potential loopbacks / circular reasoning that might lead to inconsistent application of audit criteria and audit results.
The ballot would remove version numbers and links to specific versions of audit criteria from EV Guidelines and Baseline Requirements.
Because ETSI TS 102 042 comprises different sets of policy requirements for different types of certificates, both SSL and non-SSL certificates, Mads suggested that we use the ETSI CP references Domain Validation (DVCP), Organizational Validation (OVCP), Extended Validation (EVCP) and enhanced Extended Validation (EVCP+) where relevant.
So, currently I'm thinking:
1- BRs - we delete the entire paragraph "Implementers' Note" on page ii (if someone wants to start fresh and write an entirely new paragraph, then we might be able to include guidance along those lines).
2- BRs - we add a note to 3. References stating " (Please refer to the latest official version of these publications.)"
3 - BRs -we remove references to versions, including the "-2" after FIPS 140 since FIPS 140-3 is now the standard, and the "-3" after FIPS 186 for the same reason.
4 - In sections 8 and 17 of the EV Guidelines, we remove "V2.1.1" from ETSI
102 042 and instead say "the then current ETSI 102 042 EV Certificate Policies (EVCP or EVCP+)."
5- Do we add or replace any of these with the new "EN" ETSI references, yet?
Were there any other concerns or issues with Ballot 107 that haven't been fully addressed?
Hi Ben.
Please withdraw the ballot for now.
Mads is on vacation and will be back on next Monday, I am sure you will hear from him after that.
Regards, Sissel
Without Kirk's endorsement and the other votes of concern let's consider the ballot withdrawn for further editing.
On 30/07/13 16:59, Ben Wilson wrote:
> We could, but we might want to rewrite the paragraph and explain it more.
Mozilla votes NO - see below for why.
Looking at the discussion history for ballot 107, it was proposed, and then various people provided comments, but it has not been withdrawn or resubmitted, and voting ends tomorrow. (With one early vote from Trend Micro and one from GlobalSign being the only current outstanding votes).
I think consideration needs to be given to the feedback provided and so, to prevent it 'accidentally' passing when most people seem not to have voted, Mozilla votes NO. We are not against in principle, but we wish to see either a good explanation of why the proposed changes are not necessary, or the ballot being withdrawn and updated. If the former is provided before the deadline, we would certainly consider changing our vote.
Unfortunately, I am not able to be on the call today.
