[cabfpub] Cert Policy Working Group activity

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Thu Sep 10 22:31:29 UTC 2015

I think Bruce makes a good point.

This might go faster and be more productive if the concepts for policy / security practice changes are put forward for discussion (or you can put forward the language you find in other documents for review).  Once we get Forum support (and any related issues are resolved), then it would make sense to fit the changes into new BR language.

To use an extreme example, if NIST says passwords should be 26 characters long and changed daily, I think the Forum might say "That seems unnecessary for our needs.  Let's discuss the reasons for NIST's recommendation, and see if there are more appropriate changes for us."
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Bruce Morton
Sent: Thursday, September 10, 2015 2:32 PM
To: Dean Coclin; public at cabforum.org
Subject: Re: [cabfpub] Cert Policy Working Group activity

Hi Dean,

Thanks for the update. I am a little concerned with the statement, "It became clear that adding best practices from these various documents to the new work product will serve to improve security for all CAs and the ecosystem as a whole." This sounds like policy changes.

I am in favor of policy changes, if they mitigate an issue and if the specific policy change is discussed as to why we need the change, how it can be fixed, etc. I think an open discussion on each policy change is required.

I worry that the Policy Working Group will propose a change to the Baseline Requirements which will be hard to approve due to the extent of the policy changes. Our current process has been to change policy with individual ballots for each change.

Please let me know if I am off base; otherwise, it would be great to have input from other CAs.

Thanks again, Bruce.

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Dean Coclin
Sent: Thursday, September 10, 2015 4:49 PM
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: [cabfpub] Cert Policy Working Group activity

As many are aware the Cert Policy Working Group of the CA/B Forum has been working to transition the Baseline Requirements from the current format to RFC 3647 format. As part of this effort, which has taken quite a bit of time, it made sense to pull in the Network Security Guidelines and merge them into the 3647 document.

Under the leadership of Ben Wilson, the working group is composed of a variety of people that have expertise in policy (CP/CPS), network security and CA operations. As part of this exercise, the group had the opportunity to review other documents related to the various sections of the RFC that showcase best practices such as the draft NIST IR, WebTrust, ETSI and various vendor documentation. It became clear that adding best practices from these various documents to the new work product will serve to improve security for all CAs and the ecosystem as a whole.

At our offsite meeting in Washington yesterday, the group made significant progress in reviewing the various sections of 3647 and inserting (upgrading) sections related to security areas (mostly operations). We still have a lot of work to do but I just wanted to give folks an update and the opportunity to express any concerns.

At this time, we are not merging the EV and BR documents but that is something under discussion.

So to summarize:

*        BRs and Net Sec will be in 1 document formatted to RFC 3647

*        Areas not covered in BRs or NetSec (or inadequately covered) are being added or "beefed up" using authoritative sources

Of course, once something is ready for review, the Working Group will publish it to this list.


Dean Coclin
Chair CA/B Forum

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150910/ad014d5f/attachment-0003.html>

More information about the Public mailing list