[cabfpub] Merging BRs and EVGLs

Thu Oct 1 09:32:51 MST 2015

Hi all, I thought we have discussed on having the EV Guidelines as an appendix and not fully integrated into the BR, like we noticed in this merged document.
In this format, the requirements are mixed under the same topic for regular and EV certificates, and It would bring some confusion during internal and external audits processes, mainly for CAs that don't provide EV certificates.
As already mentioned here, when we have KMPMG performing a WebTrust auditing, for example, checking separate audit requirements for EV and Non-EV CAs, it would be tough for them and for the CAs on having just one document to validate the security posture and procedures.
Therefore, I think we should reconsider the current format and evaluate a better approach for this merge, in case we decide to move forward with this idea.
Thoughts?

Marcelo.

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Wednesday, September 30, 2015 5:19 AM
To: CABFPub
Subject: [cabfpub] Merging BRs and EVGLs

Hi everyone,

The ever-helpful Peter Bowen has informed me he has already written the document-merging script I postulated. It's here:

https://github.com/pzb/PublicCP/blob/master/utils/merge.rb

It requires a version of the BRs and a version of the EVGLs which are both in Markdown format and in RFC 3647 order. The EVGLs have not yet been converted to RFC 3647, and so Peter has done his own conversion here:

https://github.com/pzb/PublicCP/blob/master/docs/ExtendedValidation.md

I attach a sample PDF of a merged BRs and EVGLs document made using this method. This is only a technology demo, of course, but it shows what sort of thing can be done. For an example section containing both BR and EV content, see section 1.3.2.

So I think if people are keen for it to be possible for people to see a combined view of these two documents, the best thing to do is to work on an official RFC 3647 conversion of the EVGLs, and for us to make Markdown the official source format of all of our documents. I am thoroughly in favour of both of those changes. This course of action would allow those who wanted separate documents to have them, and those who wanted merged documents to have them too. Everyone wins.

It would also be possible for CAs to put all of their other internal documentation into RFC3647 format and Markdown, and use that to construct their own internal documents which give the totality of their requirements. That might be a useful capability too.

Gerv

The commands I used to generate the document were:

$ utils/merge.rb docs/Outline.md docs/BaselineRequirements.md docs/ExtendedValidation.md defs.md > BREV-merged.md

$ utils/kram.rb BREV-merged.md > BREV-merged.html

$ weasyprint BREV-merged.html BREV-merged.pdf

You will need to have various libraries and apps like kramdown and weasyprint installed, but those should be available in the package manager of your Linux distribution. You are using Linux, right? ;-)