[cabfpub] Cert Policy Working Group activity

[Gervase Markham]

Hi Dean,

On 10/09/15 21:48, Dean Coclin wrote:
> As many are aware the Cert Policy Working Group of the CA/B Forum has
> been working to transition the Baseline Requirements from the current
> format to RFC 3647 format. As part of this effort, which has taken quite
> a bit of time, it made sense to pull in the Network Security Guidelines
> and merge them into the 3647 document.

I hate to be a killjoy, but I'm not sure it does make sense, but I also
think it's out of scope for the CP Working Group, on a plain reading of
the scope from Ballot 128, which set it up:

"Scope: The CP Review Working Group will (i) consider existing and
proposed standards, (ii) create a list of potential improvements based
on the considered standards that improve the existing CAB Forum work
product, (iii) evaluate the transition to a 3647 format based on the
amount."

[That last bullet seems to be poor English; I'm not entirely sure what
"based on the amount" is supposed to mean. Amount of what? Why should
the amount of potential improvements from NIST IR determine whether or
not we convert to 3647? Anyway...]

The particular proposed standard in view when it was formed was the NIST
IR guidelines. Merging two existing CAB Forum documents does not seem in
scope to me.

Mozilla is not keen on merging the two documents because our root
program requires adherence to the BRs but not to the Network Security
guidelines.

> It became clear that
> adding best practices from these various documents to the new work
> product will serve to improve security for all CAs and the ecosystem as
> a whole.

I would expect to see each change become an individual topic of
discussion and perhaps a proposed ballot for the main Forum. Is that
what you expect?

"Deliverables: The Working Group will produce topics of discussion and
proposed ballots that improve the CA infrastructure based on existing
standards and documents."

Gerv