[cabfpub] Merge EV Guidelines into Baseline Requirements CP?

N. Atilla Biler atilla.biler at turktrust.com.tr
Mon Aug 31 15:46:15 UTC 2015

Hi all,


It really seems practical to have one RFC compliant document to follow for
each CA, whether the CA gives only BR mandated OV, DV etc. or EV Guidelines
mandated EV SSL services.


The practicality will be twofold:


1.       There are a lot of common requirements w.r.t RFC 3647 format like
technical requirements, system security requirements, audit requirements
etc. and these can be managed synchronously under one document. Otherwise,
every update should be done twice and in parallel on both documents. 

2.       The differences for each type of SSL will be explicit, emphasizing
different requirements. As the RFC format is not only for validation steps
(contrary to the current EV Guidelines format that is concentered on
extended validation issues), solely the differences will be managed in a
common document.


For now, we as TURKTRUST collect all certificate types under one CP and CPS
document where all have separate certificate policies. It really is
practical for us to manage the document itself while following the frequent
changes we make on those requirements as CA/Browser Forum. 


Best regards,



N. Atilla BILER

Business Development Manager / Advisor to R&D Center



Address: Hollanda Cad. 696.Sok. No:7 Yildiz 06550 Cankaya / ANKARA - TURKEY

Phone   : +90 (312) 439 10 00

Mobile  : +90 (530) 314 24 05

Fax         : +90 (312) 439 10 01

E-mail    :  <mailto:atilla.biler at turktrust.com.tr>
atilla.biler at turktrust.com.tr 

Web      :  <http://www.turktrust.com.tr/> www.turktrust.com.tr 




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Doug Beattie
Sent: 31 Ağustos 2015 Pazartesi 18:17
To: Tim Hollebeek <THollebeek at trustwave.com>; Bruce Morton
<bruce.morton at entrust.com>; Ben Wilson <ben.wilson at digicert.com>; CABFPub
<public at cabforum.org>
Subject: Re: [cabfpub] Merge EV Guidelines into Baseline Requirements CP?


I'd prefer combining them into one document based on what I know now.  I
think it will be hard to read and follow a document that contains a lot of
references to another document, and each time a change is made to the BR
document we'll need to ask ourselves how this impacts EV (if that section is
used or not).


Also, many of the sections will be close, but not 100% identical to the BRs
which will mean duplicating that section and then trying to keep the common
items in-sync.  For example the Certificate Warranties: many are the same,
some are different.  Wouldn't it be better to have this in a table with the
list of all warrantees and then indicate which apply to OV/DV vs. EV? This
also lets you clearly see the differences between the different types of
certificates.  This same approach could be used in lots of places


It's also possible that once we start merging it some hard to solve issues
will arise..  I support  investigating what it would take to merge it in and
to identify what obstacles we might encounter. 




From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>
[mailto:public-bounces at cabforum.org] On Behalf Of Tim Hollebeek
Sent: Monday, August 31, 2015 10:51 AM
To: Bruce Morton <bruce.morton at entrust.com <mailto:bruce.morton at entrust.com>
>; Ben Wilson <ben.wilson at digicert.com <mailto:ben.wilson at digicert.com> >;
CABFPub <public at cabforum.org <mailto:public at cabforum.org> >
Subject: Re: [cabfpub] Merge EV Guidelines into Baseline Requirements CP?


I tend to agree with this.  I'd prefer a separate document, even if much of
it is "Section X: As in the baseline requirements".




From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>
[mailto:public-bounces at cabforum.org] On Behalf Of Bruce Morton
Sent: Monday, August 31, 2015 10:17 AM
To: Ben Wilson; CABFPub
Subject: Re: [cabfpub] Merge EV Guidelines into Baseline Requirements CP?




I'm thinking that this will start to make it hard to understand what is EV
and what is not. It might also be hard for the auditing community to mage
their EV audit criteria.


Currently, we can align Baseline Requirements with a Baseline Requirements
audit criteria; we can also do the same for EV. If we merge the two together
can we still separate them for CAs which do not issue EV certificates?




From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>
[mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Monday, August 31, 2015 9:58 AM
To: CABFPub <public at cabforum.org <mailto:public at cabforum.org> >
Subject: [cabfpub] Merge EV Guidelines into Baseline Requirements CP?


As I've looked at what is ahead of us (in the Policy Review Working Group),
I have concluded that I'd prefer to put the EV Guidelines into the Baseline
Requirements CP.  The EV Guidelines would lose their identity as a separate
document, but if we merge the two, we can avoid a lot of back and forth
between two documents because everything would be in one document.  Other
CPs have taken this approach of having multiple policies in the same CP
document.  Not sure what other people think, but I thought I'd mention this
idea here, in case it helps guide the WG as we review the EVG document in
the upcoming weeks.  (I did send out a rough draft of an RFC-3647-formatted
EV Guidelines to the Policy Review Working Group to get us started.)  If
people are amenable to merging the documents, then that might save us some
work in the long run.  Otherwise, we can move forward with editing of the
RFC-3647 formatted version of the EV Guidelines as a separate document,
which is fine, too.  



This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is strictly prohibited. If you received this transmission
in error, please immediately contact the sender and destroy the material in
its entirety, whether in electronic or hard copy format.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150831/2ff98016/attachment-0003.html>

More information about the Public mailing list