[cabfpub] Pre-Ballot 146 - Convert Baseline Requirements to RFC 3647 Framework

Ben Wilson ben.wilson at digicert.com
Tue Feb 24 18:02:21 UTC 2015

That is how the original from Jeremy was introduced with his email dated November 7, 2013, but I assume that it can be moved to section 2.2.


From: kirk_hall at trendmicro.com [mailto:kirk_hall at trendmicro.com] 
Sent: Tuesday, February 24, 2015 9:52 AM
To: Ben Wilson; CABFPub
Subject: RE: [cabfpub] Pre-Ballot 146 - Convert Baseline Requirements to RFC 3647 Framework


Ben – first of all, thanks for the hard work on this one.


I’m trying to figure out the benefit of locking the Forum into the RFC 3647 framework for the purpose of listing BR requirements.  Is there really a benefit?  Does it add to understanding and make CA compliance any easier?  Or will it force us to put rules in odd places that actually make understanding a bit harder?


I note the BR 8.2 already requires CAs to put their CPS into the format of RFC 2527 or 3647.  See the first two sections of BR 8.2 below.  That can facilitate comparison between the CPSs of different CAs, if anyone cares to do that.  But is there any corresponding benefit from restructuring the BRs to an RFC 3647 format?  What if a rule spans two or more different sections of the RFC 3647 format?


I see that in your new organization of the BRs you have moved old BR 8.2.2 to a new Section 2.1 Repositories, not to new Section 2.2 Publication of Information.  How did you make that choice?  And is there an expectation that CAs will publish their CAA disclosure in new Sec. 2.2 of their CPS?


I’m just afraid we will be handcuffing ourselves with these changes, and that there could be errors in internal cross-references.  It is also a lot of work for everyone to review a complete rewrite of the BRs.


Can you give us a convincing argument of why this is worth doing?  Sorry I didn’t ask this question earlier, but I hadn’t really understood this was what the working group was doing – I thought you were just looking for GAPS in the BRs as compared to the RFC 3647 where we could ADD new provisions to the BRs – not a wholesale restructuring of the BRs.




BR 8.2.2 Disclosure

The CA SHALL publicly disclose its Certificate Policy and/or Certification Practice Statement through an

appropriate and readily accessible online means that is available on a 24x7 basis. The CA SHALL publicly disclose

its CA business practices to the extent required by the CA’s selected audit scheme (see Section 17.1). The

disclosures MUST include all the material required by RFC 2527 or RFC 3647, and MUST be structured in

accordance with either RFC 2527 or RFC 3647. Effective as of 15 April 2015, section 4.2 of a CA's Certificate

Policy and/or Certification Practice Statement (section 4.1 for CAs still conforming to RFC 2527) SHALL state

whether the CA reviews CAA Records, and if so, the CA’s policy or practice on processing CAA Records for Fully

Qualified Domain Names. The CA SHALL log all actions taken, if any, consistent with its processing practice.


From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>  [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Tuesday, February 24, 2015 7:22 AM
Subject: [cabfpub] Pre-Ballot 146 - Convert Baseline Requirements to RFC 3647 Framework


Ballot 146 - Convert Baseline Requirements to RFC 3647 Framework 

The Certificate Policy Review Working Group was chartered by Ballot 128 to (i) consider existing and proposed standards, (ii) create a list of potential improvements based on the considered standards that improve the existing CAB Forum work product, (iii) evaluate the transition to a 3647 format based on the amount [of work involved]. One deliverable of the CP Review WG was to propose a ballot to improve CA infrastructure based on existing standards and documents and recommend whether to finish the 3647 conversion presented by Jeremy Rowley in January 2014. 

The CP Review WG has met and concluded that the best path forward for the Forum is to complete a conversion to the RFC 3647 for the Baseline Requirements with an initial step that merely moves existing content from the Baseline Requirements and the Network and Certificate System Security Requirements into the RFC 3647 format. 

Attached is an RFC-3647-formatted Certificate Policy for Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates. Comments embedded in the document contain either the source of the text (for content copied from the Baseline Requirements) or the current text (for provisions incorporated by reference from the Network and Certificate System Security Requirements ("NetSec"). It was decided that it was better to incorporate the NetSec requirements by reference rather than copying and pasting them in. In some limited instances the phrase "these Requirements" has been replaced with "this CP." However, "these Requirements" is mostly left in to preserve consistency with the current Baseline Requirements. 

Ben Wilson of DigiCert made the following motion, from and from have endorsed it. 

Motion Begins 

Be it resolved that the CA / Browser Forum adopts the attached CA/B Forum Certificate Policy v.1.2.5, effective immediately. 

Motion Ends 

The review period for this ballot shall commence at 2200 UTC on March 2015 and will close at 2200 UTC on March 2015. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on March 2015. 

Votes must be cast by posting an on-list reply to this thread. A vote in favor of the ballot must indicate a clear ‘yes’ in the response. A vote against the ballot must indicate a clear ‘no’ in the response. A vote to abstain must indicate a clear ‘abstain’ in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. 

Voting members are listed here:  <https://cabforum.org/members/> https://cabforum.org/members/. In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and more than one half of the votes cast by members in the browser category must be in favor. Quorum is currently nine (9) members– at least nine members must participate in the ballot, either by voting in favor, voting against, or by abstaining for the vote to be valid. 


The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150224/5da76f0c/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150224/5da76f0c/attachment-0001.p7s>

More information about the Public mailing list