[cabfpub] Cert Policy Working Group activity

Dean Coclin Dean_Coclin at symantec.com
Tue Sep 15 19:39:29 UTC 2015

Thanks to everyone who commented on the task being undertaken from the
policy working group. The feedback has been helpful in directing the group's

The comments essentially break down into 2 types:
1. Insuring that any new language added is reviewed and perhaps balloted by
the entire forum (comments from Bruce, Rick, Kirk)
2. Determining whether the network security guidelines should be merged
(Gerv's comment)

I spoke informally to some of the working group members and for #1, Ben will
send out a proposed "way forward" to address the comments.  I personally
think it will be VERY hard and lengthy to try and ballot each individual
proposed change to such a large document. Let's wait for Ben's proposal to
see what he suggests. 

On #2, the group felt that RFC 3647 contains the exact placeholders for the
items currently in the network security requirements and that's why it made
sense to merge those in. As many of you know, the Network Security
requirements were composed after the Diginotar and Comodo incidents to
address a gap in the BRs. Although they are not as stringent as some would
have liked, they do provide meaningful improvements to the security of the
ecosystem, with an opportunity for further enhancement as we review them

I wasn't aware (or maybe I just forgot) that Mozilla doesn't require the
Network Security requirements as part of their root program. While I don't
know what the reason is for that, I'm sure Gerv and others can enlighten us


-----Original Message-----
From: Rich Smith [mailto:richard.smith at comodo.com] 
Sent: Friday, September 11, 2015 4:53 PM
To: 'Gervase Markham'; Dean Coclin; public at cabforum.org
Subject: RE: [cabfpub] Cert Policy Working Group activity

I'm in agreement with Gerv here, though for different reasons.  If we're
converting the BR to 3647 format that, for the first step, should be ALL
that is done to it.  It's going to be hard enough to review and check for
completion and errors just shifting around the existing BR text.  Scope of
the working group aside, if the Forum as a whole even decides that merging
these two documents is a good idea, it is definitely NOT something that
should be done at the same time as completely re-arranging the current BRs.
It will be far too confusing and prone to possible errors, insertions or
omissions.  Obviously not everyone thinks it is even a good idea, therefore
I think that it's something that should be brought to a specific vote before
it's even begun.

In the BR reformat process the ONLY changes made should be those absolutely
required for the document to continue to make grammatical sense in its new
format.  Wherever possible the text from the existing document SHOULD be
copied to its new location verbatim without changes, and any changes made
MUST be documented rigorously so that they can be properly reviewed for
accuracy of original intent.  That's my two cents.  It seems to me that the
task of re-formatting the BR, if done to this standard, ought to be enough
of a task to not need to throw more at it by trying to merge another
document into it at the same time.


> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Gervase Markham
> Sent: Friday, September 11, 2015 9:15 AM
> To: Dean Coclin; public at cabforum.org
> Subject: Re: [cabfpub] Cert Policy Working Group activity
> Hi Dean,
> On 10/09/15 21:48, Dean Coclin wrote:
> > As many are aware the Cert Policy Working Group of the CA/B Forum has
> > been working to transition the Baseline Requirements from the current
> > format to RFC 3647 format. As part of this effort, which has taken
> > quite a bit of time, it made sense to pull in the Network Security
> > Guidelines and merge them into the 3647 document.
> I hate to be a killjoy, but I'm not sure it does make sense, but I also
> think it's out of scope for the CP Working Group, on a plain reading of
> the scope from Ballot 128, which set it up:
> "Scope: The CP Review Working Group will (i) consider existing and
> proposed standards, (ii) create a list of potential improvements based
> on the considered standards that improve the existing CAB Forum work
> product, (iii) evaluate the transition to a 3647 format based on the
> amount."
> [That last bullet seems to be poor English; I'm not entirely sure what
> "based on the amount" is supposed to mean. Amount of what? Why should
> the amount of potential improvements from NIST IR determine whether or
> not we convert to 3647? Anyway...]
> The particular proposed standard in view when it was formed was the
> NIST IR guidelines. Merging two existing CAB Forum documents does not
> seem in scope to me.
> Mozilla is not keen on merging the two documents because our root
> program requires adherence to the BRs but not to the Network Security
> guidelines.
> > It became clear that
> > adding best practices from these various documents to the new work
> > product will serve to improve security for all CAs and the ecosystem
> > as a whole.
> I would expect to see each change become an individual topic of
> discussion and perhaps a proposed ballot for the main Forum. Is that
> what you expect?
> "Deliverables: The Working Group will produce topics of discussion and
> proposed ballots that improve the CA infrastructure based on existing
> standards and documents."
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150915/65d56683/attachment-0001.p7s>

More information about the Public mailing list