[cabfpub] Cert Policy Working Group activity
bruce.morton at entrust.com
Thu Sep 10 21:31:40 UTC 2015
Thanks for the update. I am a little concerned with the statement, "It became clear that adding best practices from these various documents to the new work product will serve to improve security for all CAs and the ecosystem as a whole." This sounds like policy changes.
I am in favor of policy changes, if they mitigate an issue and if the specific policy change is discussed as to why we need the change, how it can be fixed, etc. I think an open discussion on each policy change is required.
I worry that the Policy Working Group will propose a change to the Baseline Requirements which will be hard to approve due to the extent of the policy changes. Our current process has been to change policy with individual ballots for each change.
Please let me know if I am off base; otherwise, it would be great to have input from other CAs.
Thanks again, Bruce.
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Dean Coclin
Sent: Thursday, September 10, 2015 4:49 PM
To: public at cabforum.org
Subject: [cabfpub] Cert Policy Working Group activity
As many are aware the Cert Policy Working Group of the CA/B Forum has been working to transition the Baseline Requirements from the current format to RFC 3647 format. As part of this effort, which has taken quite a bit of time, it made sense to pull in the Network Security Guidelines and merge them into the 3647 document.
Under the leadership of Ben Wilson, the working group is composed of a variety of people that have expertise in policy (CP/CPS), network security and CA operations. As part of this exercise, the group had the opportunity to review other documents related to the various sections of the RFC that showcase best practices such as the draft NIST IR, WebTrust, ETSI and various vendor documentation. It became clear that adding best practices from these various documents to the new work product will serve to improve security for all CAs and the ecosystem as a whole.
At our offsite meeting in Washington yesterday, the group made significant progress in reviewing the various sections of 3647 and inserting (upgrading) sections related to security areas (mostly operations). We still have a lot of work to do but I just wanted to give folks an update and the opportunity to express any concerns.
At this time, we are not merging the EV and BR documents but that is something under discussion.
So to summarize:
* BRs and Net Sec will be in 1 document formatted to RFC 3647
* Areas not covered in BRs or NetSec (or inadequately covered) are being added or "beefed up" using authoritative sources
Of course, once something is ready for review, the Working Group will publish it to this list.
Chair CA/B Forum
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public