[cabfpub] Merge EV Guidelines into Baseline Requirements CP?

Mon Aug 31 19:26:09 UTC 2015

On Mon, Aug 31, 2015 at 9:12 AM, Gervase Markham <gerv at mozilla.org> wrote:

> On 31/08/15 14:57, Ben Wilson wrote:
> > As I’ve looked at what is ahead of us (in the Policy Review Working
> > Group), I have concluded that I’d prefer to put the EV Guidelines into
> > the Baseline Requirements CP.
>
> Kathleen's view:
>
> "I would be OK with the EV Guidelines and the BRs being in one document,
> as long at is is very clear what the additional requirements are for EV.
> For instance there would need to be separate sections (or sub-sections)
> that start with something common like "EV" to highlight the additional
> expectations for EV."
>
> My view is that my gut feeling is against; we should be able to manage a
> few document cross-references, and these are two separate standards. But
> I'd say the auditors' opinion is important.
>
> Gerv
>
>
With respect to the Baseline Requirements and EV Guidelines, I would say
one (unified) document would not terribly sadden me, and would make it
somewhat easier for reviewing. From experience performing CP/CPS reviews
for ETSI-audited CAs (that is, considering DVCP vs OVCP vs EVCP vs EVCP+),
a unified document with clear demarcation (generally) makes it easier to
review.

That said, it's likely worthwhile to consider how these documents are
incorporated. For example, it's possible to do so in a way that ostensibly
harms, rather than helps. Consider, for example, the incorporation of the
Network & Certificate System Security Requirements published by the
CA/Browser Forum. These requirements were voted on as a CA/B Forum work
product, but not established as required by the root stores, notably,
Mozilla. However, because these documents were incorporated into the into
the "WebTrust Principles and Criteria for Certification Authorities - SSL
Baseline with Network Security, Version 2.0", they are de facto required,
even though not so by the program requirements (indeed, there are a number
of non-sensical requirements in the Network & Certificate System Security
Requirements that would be suboptimal for a modern CA to enforce)

There would therefore be a similar risk that in combining these documents,
either the Forum or the auditors (WebTrust, ETSI) tasked with integrating
these combined documents would end up imposing more stringent requirements
than actually required by the root stores. We've seen this elsewhere in
past integrations (e.g. Ballot 105, which imposed a more stricter
interpretation of technical constraints than present in Mozilla's Program),
so care would really have to be taken.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150831/ebf18aeb/attachment-0003.html>