[cabfpub] [EXTERNAL]Re: Ballot 190: Domain Validation
pzb at amzn.com
Fri Apr 14 02:57:27 UTC 2017
> On Apr 13, 2017, at 4:53 PM, Kirk Hall via Public <public at cabforum.org> wrote:
> Peter made an interesting suggestion that we keep layering on transition rules into the BRs themselves – here is his example:
> In section 184.108.40.206, replace the last sentence (which currently reads " CAs SHALL NOT include a Domain Name or IP Address in a Subject attribute except as specified in Sections 220.127.116.11 or 18.104.22.168.”) with something like:
> “CAs MUST NOT include Domain Name or IP Address in a Subject Attribute unless it has been verified using a procedure covered in section 22.214.171.124 or 126.96.36.199 of the Baseline Requirements that were in effect at the time of verification, Such verification MUST have occurred no more than 39 months prior to certificate issuance if the issuance occurs before 1 March 2018. Such verification MUST have occurred no more than 825 days prior to certificate issuance if the issuance occurs on or after 1 March 2018.”
> Yes, that will resolve ONE set of transition rules from ONE ballot – but what do we do when we have another ballot that amends the same section? And then another? (Gerv gave a good example of this possibility this morning relating to the .well-known validation rule as you recall). Do we keep adding transition rules and effective dates over and over again to the same section? That makes no sense, and is not generally how rule sets are amended and codified.
Adding rules for changes is exactly what I’m proposing. There is exactly one version of the BRs in effect at any given point. That version needs to contain all the rules that CA must follow if they apply a signature on a certificate at that point. We can simplify things somewhat if we want by having changes that are merged into the BRs automatically on a given date (“effective date”), but transition rules are always going to be complex.
This is rather different from how American legislative publishing works. For example, the Oregon Revised Statutes explain in their docs (https://www.oregonlegislature.gov/lc/ORSupdate/instructions.pdf <https://www.oregonlegislature.gov/lc/ORSupdate/instructions.pdf>), the “master” copy of the laws is only updated periodically. Someone wanting to get the current status of the ORS has to check through hundreds of changes in a table to determine where to look to find the current text of a statute.
On the other hand, many “living" technical specifications are updated every time a change is approved. Someone wanting to get the current status simply has to get the specification and read it. There are no tables of changes that have to be merged by hand.
I know I prefer the latter approach, even if it means the text gets a little complex.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public