[cabfpub] FW: [cabf_ev_improvements] EV Section 11.13
Ben Wilson
ben at digicert.com
Wed Jun 11 17:58:04 UTC 2014
I haven't received any comments, so here it is to the public list for review
and comment. This will be on the agenda for the Face-to-Face.
From: evsection11-bounces at cabforum.org
[mailto:evsection11-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Sunday, June 8, 2014 6:33 PM
To: 'Cecilia Kam'; 'Wayne Thayer'; 'Jeremy Rowley'; 'Joanna Fox';
Evsection11 at cabforum.org; kelviny at exchange.microsoft.com
Subject: Re: [cabf_ev_improvements] EV Section 11.13
Here is another shot at pre-Ballot 123 for updating EV Section 11.13.
Let me know what you think.
From: Cecilia Kam [mailto:Cecilia_Kam at symantec.com]
Sent: Tuesday, May 13, 2014 2:01 PM
To: ben at digicert.com; 'Wayne Thayer'; 'Jeremy Rowley'; 'Joanna Fox';
Evsection11 at cabforum.org; kelviny at exchange.microsoft.com
Subject: RE: [cabf_ev_improvements] EV Section 11.13
Yes that is best -
(5) The CA MUST repeat the verification processes required in these
Guidelines for any information obtained outside the time limits specified
above
From: Ben Wilson [mailto:ben at digicert.com]
Sent: Tuesday, May 13, 2014 1:00 PM
To: Cecilia Kam; 'Wayne Thayer'; 'Jeremy Rowley'; 'Joanna Fox';
Evsection11 at cabforum.org; kelviny at exchange.microsoft.com
Subject: RE: [cabf_ev_improvements] EV Section 11.13
Never mind, I see we use the word "limits", so what about "(5) The CA MUST
repeat the verification processes required in these Guidelines for any
information obtained outside the time limits specified above"?
From: Ben Wilson [mailto:ben at digicert.com]
Sent: Tuesday, May 13, 2014 1:58 PM
To: 'Cecilia Kam'; 'Wayne Thayer'; 'Jeremy Rowley'; 'Joanna Fox';
'Evsection11 at cabforum.org'; 'kelviny at exchange.microsoft.com'
Subject: RE: [cabf_ev_improvements] EV Section 11.13
What about "(5) The CA MUST repeat the verification processes required in
these Guidelines for any information obtained outside the time periods
specified above"?
From: Cecilia Kam [mailto:Cecilia_Kam at symantec.com]
Sent: Monday, May 12, 2014 11:51 AM
To: ben at digicert.com; 'Wayne Thayer'; 'Jeremy Rowley'; 'Joanna Fox';
Evsection11 at cabforum.org; kelviny at exchange.microsoft.com
Subject: RE: [cabf_ev_improvements] EV Section 11.13
Hi Ben,
One minor update to 11.13.3
(5) The CA MUST repeat the verification processes required in these
Guidelines for any information obtained outside earlier than allowed by the
limits specified above.
Thanks,
Cecilia
From: Ben Wilson [mailto:ben at digicert.com]
Sent: Friday, May 09, 2014 12:07 PM
To: ben at digicert.com; 'Wayne Thayer'; 'Jeremy Rowley'; 'Joanna Fox'; Cecilia
Kam; Evsection11 at cabforum.org; kelviny at exchange.microsoft.com
Subject: RE: [cabf_ev_improvements] EV Section 11.13
Here is an updated redlined draft of the EVGs for a Pre-Ballot 123 Forum
review.
From: evsection11-bounces at cabforum.org
[mailto:evsection11-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Friday, May 02, 2014 11:36 AM
To: 'Wayne Thayer'; 'Jeremy Rowley'; 'Joanna Fox'; 'Cecilia Kam';
Evsection11 at cabforum.org; kelviny at exchange.microsoft.com
Subject: Re: [cabf_ev_improvements] EV Section 11.13
Who is the proponent and who are the endorsers for the current draft? Is
this ready to be put forth as a ballot?
From: Wayne Thayer [mailto:wthayer at godaddy.com]
Sent: Wednesday, April 30, 2014 1:40 PM
To: ben at digicert.com; 'Jeremy Rowley'; Joanna Fox; 'Cecilia Kam';
Evsection11 at cabforum.org; kelviny at exchange.microsoft.com
Subject: RE: [cabf_ev_improvements] EV Section 11.13
Good point. I like Jeremy's new language, but we should combine the new (4)
with the old (3).
Thanks,
Wayne
From: Ben Wilson [mailto:ben at digicert.com]
Sent: Wednesday, April 30, 2014 12:31 PM
To: 'Jeremy Rowley'; Wayne Thayer; Joanna Fox; 'Cecilia Kam';
Evsection11 at cabforum.org; kelviny at exchange.microsoft.com
Subject: RE: [cabf_ev_improvements] EV Section 11.13
There is also 11.13.3(3) to consider and whether that should be part of this
overall explanation.
From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
Sent: Wednesday, April 30, 2014 1:27 PM
To: ben at digicert.com; 'Wayne Thayer'; 'Joanna Fox'; 'Cecilia Kam';
Evsection11 at cabforum.org; kelviny at exchange.microsoft.com
Subject: RE: [cabf_ev_improvements] EV Section 11.13
I still think we could drop the language since reuse of the requests and
subscriber agreements is adequately covered under other sections. However,
if we want to add something, I do like the idea of splitting it into two
separate sections:
(4) The CA MAY rely on a previously-verified EV Certificate Request to issue
subsequent or multiple EV Certificates to an Applicant, provided that the EV
Request (i) meets the requirements in Section 10 for each subsequent or
multiple Certificate(s) issued and (ii) was approved by a pre-authorized
Certificate Approver under Section 11.7.4.
(5) The CA MAY rely on a previously-verified Subscriber Agreement or Terms
of Use to issue subsequent or multiple EV Certificates to an Applicant,
provided that the Subscriber Agreement or Terms of Use meets the
requirements in Section 10 with respect to each subsequent or multiple EV
Certificate.
Thoughts?
From: Ben Wilson [mailto:ben at digicert.com]
Sent: Wednesday, April 30, 2014 1:07 PM
To: 'Wayne Thayer'; 'Jeremy Rowley'; 'Joanna Fox'; 'Cecilia Kam';
Evsection11 at cabforum.org; kelviny at exchange.microsoft.com
Subject: RE: [cabf_ev_improvements] EV Section 11.13
Maybe since this will be discussed during the call tomorrow we could move
the discussion to the public list? One suggestion might be to introduce
alternative language for discussion. My overall intent was to point people
to other relevant sections of the EVGs (otherwise someone might read one
section without realizing that there is another one in the EVG or BRs that
they should also be looking at).
From: Wayne Thayer [mailto:wthayer at godaddy.com]
Sent: Wednesday, April 30, 2014 12:32 PM
To: Jeremy Rowley; ben at digicert.com; Joanna Fox; 'Cecilia Kam';
Evsection11 at cabforum.org; kelviny at exchange.microsoft.com
Subject: RE: [cabf_ev_improvements] EV Section 11.13
Jeremy, I think your language is the opposite of Ben's, and it helps to
think about reuse of the certificate request and subscriber agreement (SA)
separately.
The SA is the easier case, and Ben's language works. Jeremy, I read your
language as saying that you have to follow 11.8 for each request and
therefore you must validate the signature on the SA every time. It's unclear
if you could reverify the signature on the exact same document, but that
seems pointless.
It's unclear to me that the reuse of a certificate request is even useful
(one request covering multiple certs?), but if it is I don't think that
doing so conflicts directly with 11.7.4, which is about pre-authorizing the
approver. Ben, I don't understand your language on 11.7.4 - are you saying
that a request can only be reused if the provisions of 11.7.4 are in effect?
If so, I suggest we put that language right into 11.7.4 and let 11.13.3(4)
address the SA only.
Thanks,
Wayne
From: evsection11-bounces at cabforum.org
[mailto:evsection11-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Tuesday, April 29, 2014 3:27 PM
To: ben at digicert.com; Joanna Fox; 'Cecilia Kam'; Evsection11 at cabforum.org;
kelviny at exchange.microsoft.com
Subject: Re: [cabf_ev_improvements] EV Section 11.13
I think it's too much and will tend to over-ride the pre-authorization of
11.7.4 and signed agreement language elsewhere in the guidelines. If we're
going to add something, the language should be short and sweet:
(4) The CA MAY use reuse a previously submitted EV Certificate Request,
Subscriber Agreement, or Terms of Use to the extent permitted under Sections
11.8 and 11.9.
From: Ben Wilson [mailto:ben at digicert.com]
Sent: Tuesday, April 29, 2014 3:25 PM
To: 'Joanna Fox'; 'Jeremy Rowley'; 'Cecilia Kam'; Evsection11 at cabforum.org;
kelviny at exchange.microsoft.com
Subject: RE: [cabf_ev_improvements] EV Section 11.13
What about this for 11.13.3?
Subject to the aging and updating requirements listed in this Section 11.13,
the CA MAY use an EV Certificate Request, Subscriber Agreement, or
Affiliate's Terms of Use that was previously verified under Sections 11.7
and 11.8 (including, if applicable, the pre-authorization requirements found
in Section 11.7.4) to issue subsequent or multiple EV Certificates to an
Applicant, provided that such documents: (a) request or authorize
certificate issuance for the Subjects to be included in the Certificate(s);
(b) do not conflict with the then-existing version of these Guidelines; and
(c) remain legally binding and enforceable for the CA, the Subscriber, and
the EV Certificate(s) to be issued.
From: Joanna Fox [mailto:jweber at godaddy.com]
Sent: Tuesday, April 29, 2014 9:52 AM
To: Jeremy Rowley; ben at digicert.com; 'Cecilia Kam';
Evsection11 at cabforum.org; kelviny at exchange.microsoft.com
Subject: RE: [cabf_ev_improvements] EV Section 11.13
My interpretation is that this section allows for reuse of these documents
as long as no data has changed. I'm happy to take the opportunity of
rewriting 11.13 to include clarifying this section. If we want to word it
more simply, we can either put a time restriction on the use of a Subscriber
Agreement or remove a time restriction entirely and just say something to
the effect of, if the Contract Signer (Applicant Representative) has not
changed document is considered valid.
Thoughts?
From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
Sent: Monday, April 28, 2014 10:00 PM
To: ben at digicert.com; 'Cecilia Kam'; Joanna Fox; Evsection11 at cabforum.org;
kelviny at exchange.microsoft.com
Subject: RE: [cabf_ev_improvements] EV Section 11.13
I agree with Ben - I'm not sure what it means to have each request supported
by a previously confirmed EV Certificate request and subscriber agreement.
The fact that a valid one must exist is a requirement for EV issuance under
11.8 and 11.9. I'm not sure why it was ever included under the document
validity period requirements.
From: Ben Wilson [mailto:ben at digicert.com]
Sent: Monday, April 28, 2014 10:55 PM
To: 'Cecilia Kam'; 'Joanna Fox'; 'Jeremy Rowley'; Evsection11 at cabforum.org;
kelviny at exchange.microsoft.com
Subject: RE: [cabf_ev_improvements] EV Section 11.13
It seems like subsection 11.13.3(4) is a requirement, not an exception, and
it just restates sections 7.1(F), 10.1.2, 11.1.1 (and a bunch of others).
I'm wondering whether the original subsection (4) was intended to limit the
use of a single Subscriber Agreement by requiring a new certificate request
each time, but that is allowed in (3) above (and in section 10.2.1 of the
BRs), so what does it really mean to say?
From: Cecilia Kam [mailto:Cecilia_Kam at symantec.com]
Sent: Monday, April 28, 2014 5:41 PM
To: Joanna Fox; ben at digicert.com; 'Jeremy Rowley'; Evsection11 at cabforum.org;
kelviny at exchange.microsoft.com
Subject: RE: [cabf_ev_improvements] EV Section 11.13
Hi Ben,
One minor update:
11.13.1
(3) The Method of Communication required by Section 11.4.2(2)(A), provided
that the CA verified the communications as required by Section 11.4.2
(2)(B);
Also I think Joanna is correct and 11.13.3 (4) should be included
11.13.3
(4) Each EV Certificate issued by the CA MUST be supported by a previously
confirmed EV Certificate Request and a Subscriber Agreement signed by the
appropriate Applicant Representative on behalf of the Applicant or Terms of
Use acknowledged by the appropriate Applicant Representative.
I might have more feedback tomorrow.
Thanks,
Cecilia
From: Joanna Fox [mailto:jweber at godaddy.com]
Sent: Monday, April 28, 2014 4:11 PM
To: ben at digicert.com; 'Jeremy Rowley'; Cecilia Kam;
Evsection11 at cabforum.org; kelviny at exchange.microsoft.com
Subject: RE: [cabf_ev_improvements] EV Section 11.13
I don't remember omitting 11.13.3 Subsection 4. Do we want this reconfirmed
each time?
Thanks, Joanna
From: Ben Wilson [mailto:ben at digicert.com]
Sent: Monday, April 28, 2014 11:31 AM
To: Joanna Fox; 'Jeremy Rowley'; 'Cecilia Kam'; Evsection11 at cabforum.org;
kelviny at exchange.microsoft.com
Subject: RE: [cabf_ev_improvements] EV Section 11.13
Joanna indicated the earlier ones worked, and this one didn't, so just in
case, here it is as an RTF file.
From: evsection11-bounces at cabforum.org
[mailto:evsection11-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Monday, April 28, 2014 11:57 AM
To: 'Jeremy Rowley'; 'Cecilia Kam'; Evsection11 at cabforum.org;
kelviny at exchange.microsoft.com
Subject: Re: [cabf_ev_improvements] EV Section 11.13
Any comments, or should I circulate this to "public" in advance of it being
an agenda item for Thursday's CABF call?
From: evsection11-bounces at cabforum.org
[mailto:evsection11-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Friday, April 25, 2014 12:17 PM
To: 'Jeremy Rowley'; 'Cecilia Kam'; Evsection11 at cabforum.org;
kelviny at exchange.microsoft.com
Subject: Re: [cabf_ev_improvements] EV Section 11.13
Here is a cleaned up Word version. Let me know whether you notice any
errors in the automatic paragraph numbering.
From: Ben Wilson [mailto:ben at digicert.com]
Sent: Friday, April 25, 2014 11:19 AM
To: 'ben at digicert.com'; 'Jeremy Rowley'; 'Cecilia Kam';
'Evsection11 at cabforum.org'; Kelvin Yiu <kelviny at exchange.microsoft.com>
(kelviny at exchange.microsoft.com)
Subject: RE: [cabf_ev_improvements] EV Section 11.13
All,
Here is an updated version. Discard the version I sent yesterday. Also,
I'm going to see if I can clean up the Styles in the Word version, and then
I'll send that to you shortly.
Ben
From: evsection11-bounces at cabforum.org
[mailto:evsection11-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Thursday, April 24, 2014 12:34 PM
To: 'Jeremy Rowley'; 'Cecilia Kam'; Evsection11 at cabforum.org
Subject: Re: [cabf_ev_improvements] EV Section 11.13
For this Draft Ballot 123, I reviewed the language and redlined the version
of the EV Guidelines being used for Ballot 122. The yellow highlighting
means that the insertion or deletion was mainly a move of the text.
I made several edits, so everyone, including Cecilia, Jeremy and JoAnne,
ought to review what has changed. Feel free to ask why I changed anything
or explain why something shouldn't have been changed.
Thanks,
Ben
From: evsection11-bounces at cabforum.org
[mailto:evsection11-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Thursday, April 24, 2014 11:26 AM
To: 'Jeremy Rowley'; 'Cecilia Kam'; Evsection11 at cabforum.org
Subject: Re: [cabf_ev_improvements] EV Section 11.13
FYI-I'm putting this into ballot form as draft proposed Ballot 123. Then
I'll send it out to the group for discussion during the next CABF call.
From: evsection11-bounces at cabforum.org
[mailto:evsection11-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Thursday, April 24, 2014 10:37 AM
To: 'Cecilia Kam'; Evsection11 at cabforum.org
Subject: Re: [cabf_ev_improvements] EV Section 11.13
Thanks Cecilia. I had one change to Section 11.13.1(3). Although this
change is a bit redundant, I think we want to be clear that 2(B) is still
required, especially since this point could easily be lost when translating
the document.
From: Cecilia Kam [mailto:Cecilia_Kam at symantec.com]
Sent: Wednesday, April 23, 2014 6:13 PM
To: Jeremy Rowley; Evsection11 at cabforum.org
Subject: RE: [cabf_ev_improvements] EV Section 11.13
Hi Jeremy,
Tried to incorporate our comments and clean up the attached doc.
Let me know what you think.
Thanks,
Cecilia
From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
Sent: Friday, March 28, 2014 9:54 PM
To: Cecilia Kam; Evsection11 at cabforum.org
Subject: RE: [cabf_ev_improvements] EV Section 11.13
Thanks Cecilia. Most of the changes depend on the order we present the
ballots to the main forum. Which do we want to vote on first?
On 11.13.1(3), I think we should make it clear that the CA needs to
re-verify the method of communication by using the method of communication
to communicate with the applicant.
One 11.13.1(5), I'm not sure what you asking. That section remained
essentially unchanged except for removal of the future tense (since it
controls when the certificate issues) and a change to remove superfluous
language. The exampled you added was not in the original language. Instead
that is in 11.13.3(1)(G). Do you want to move it here instead? I have no
problem moving it from 11.13.3(1) to 11.13(3)
On 11.13.1(6), we need to retain this language (or broaden it) because it
refers to a confirming person, not a Reliable Method of Communication. If
we change this language, we'll need to heavily amend 11.10.4 as well. I
believe Rich will be addressing that section as part of his role revision
project.
On 11.13.2, those changes would allow a user to reuse the request and
subject of a revoked EV certificate without verification. Is that the
intent? I'll need to think about this.
Thanks again for the comments.
Jeremy
From: Cecilia Kam [mailto:Cecilia_Kam at symantec.com]
Sent: Saturday, March 29, 2014 6:14 AM
To: Jeremy Rowley; Evsection11 at cabforum.org
Subject: RE: [cabf_ev_improvements] EV Section 11.13
Hi Jeremy,
I think we need more time to edit Age of Validated Data (2) but here are
some updates/comments in red.
Regards,
Cecilia
From: evsection11-bounces at cabforum.org
[mailto:evsection11-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Thursday, March 13, 2014 9:38 AM
To: Evsection11 at cabforum.org
Subject: [cabf_ev_improvements] EV Section 11.13
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140611/0bba7f1b/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: EV V1_4_9_redlined-ballot-123.pdf
Type: application/pdf
Size: 97134 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140611/0bba7f1b/attachment-0002.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5442 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140611/0bba7f1b/attachment.p7s>
More information about the Public
mailing list