[cabfpub] Ballot 170 - Amend Section 5.1 of Baseline Requirements

[Gervase Markham]

On 15/06/16 17:15, Ben Wilson wrote:
> I don't think it is maximalist to provide some baseline requirements around 
> physical security, but that, I guess, is a matter of opinion.  

I think the experience with the Network Security Guidelines, written
once in 2012 as a belated response to Diginotar and not updated since,
suggests that we are far better off when sticking to our own collective
area of expertise.

> Talking of 
> frustration, I do get frustrated that  browsers prefer an extreme minimalist 
> approach to  the  extent that  they would rather see "survival of the 
> fittest".  In other words, it is only a matter of time until another CA with 
> lax operational practices goes the way of DigiNotar.

The fact that I don't think physical security requirements belong in the
BRs doesn't mean that I think it's OK for some CAs to have lax
operational practices. But instead of assuming that the BRs are the only
way we have of addressing that issue ("if all you have is a hammer,
everything looks like a nail"), perhaps we should have a discussion
about the best way to encourage best practice across the industry here?

Referencing other documents maintained by organizations with expertise
in this area and who have the resources and desire to keep them up to
date with the changing landscape seems to me to be a better path to
travel. Whether those references are indicative or normative is another
question; CAs already need two or three audits, each of which is
expensive, and the more audits there are, the more the total cost starts
to become anticompetitive.

Gerv