[cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016

Ryan Sleevi sleevi at google.com
Tue Oct 25 17:45:01 MST 2016 

On Tue, Oct 25, 2016 at 5:26 PM, Kirk Hall via Public <public at cabforum.org>
wrote:

> Wayne –  I agree with you we that need to move forward now.
>
>
>
> Previously we had discussed not putting forward any ballots that amend the
> current BRs or EVGL until we complete the readoption Ballot 180, which
> should be occur by January 7.  But as you point out, this change is very
> time sensitive and can’t wait that long.
>
>
>
> I think we can treat this as a Maintenance Guideline to Sec. 7.1.3 of the
> BRs because we need to complete the adoption process by December 31.  I see
> no risks of infringing IP in the change you propose, but in any case we can
> run it through the normal 30 day Review Period for Maintenance Guidelines
> and complete voting before December 31.
>

Hi Kirk,

Based on the ample discussion of the IPR issues, I'm somewhat surprised to
hear you suggest this. As it presently stands, there's ambiguity regarding
the IPR state of the documents, as a whole, due to the lack of following
the bylaws and the process over the past years.

As such, I fail to see how we can suggest balloting this in a way that
would avoid the IPR issues attempting to be resolved by Ballot 180, but
perhaps the motivations for Ballot 180 are not entirely clear.

In the absence of Ballot 180, I don't believe we can suggest these are
Maintenance Guidelines, nor can we suggest our existing IPR policy would
apply. If we were to proceed with adoption, it would seem like we would be
intentionally stating we are ignoring the IPR concerns, which I believe
Virginia has raised as a very concerning position.

In order to accommodate this proposal, it would seem necessary to
incorporate the proposed text into Ballot 180, and then re-adopt that
document as a Final Guideline, with the full 60 day IPR notification
period. This would ensure that there are no issues with this proposal, but
unfortunately, suggests that it may not be sufficient time to avoid issue.

Have I misunderstood the concerns raised by both you and Virginia over the
past several calls, and the issues surrounding the IPR status of these
documents? Do we believe that, if such a ballot passed and was adopted, it
could legitimately be considered the Baseline Requirements by auditors,
given the issues surrounding the document's creation?

While I'm quite supportive of Wayne's proposal, the IPR Policy and Bylaws
exist to protect us, our work product, and our members, and it would feel
odd to set those concerns aside, especially after such long and productive
discussions about them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20161025/afb463bc/attachment.html>

More information about the Public mailing list