[cabfpub] Pre-Ballot 146 - Convert Baseline Requirements to RFC 3647 Framework

Ryan Sleevi sleevi at google.com
Wed Mar 11 05:50:58 UTC 2015

On Mar 10, 2015 10:43 PM, "Ben Wilson" <ben.wilson at digicert.com> wrote:
> I forgot to mention.  The current plan is to adopt these, then add in the
EV Guidelines for SSL, and then add in the Network Security requirements,
and then code signing, ETSI/NIST language, etc.  A benefit of this plan is
a reduction in the number of documents we have to handle.

I am at a loss to understand why that is at all a good thing.

As noted before, I've already relayed our concerns about the
appropriateness of code signing in the Forum. Even discarding those
concerns - which I think are serious and profoundly affect future
participation in the Forum - it is unclear to me why merging the BRs and
the EVGs are a good thing. A CA that does not wish to issue EV certs should
not have to wade through significant portions of unrelated policy; that
makes it harder to maintain, but also harder as a reviewer to review and as
an auditor to audit.

I, like others who have expressed similar concerns before, am still at a
bit skeptical as to how much this will help, and am very concerned it will
do more harm. Still, I would love to know what supporters perceive as the
benefits of unifying the documents - both tangentially related ones (SSL
BRs and SSL EV) and very much unrelated ones (Code Signing)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150310/afca5340/attachment-0003.html>

More information about the Public mailing list