[cabfpub] FW: [EXTERNAL]Re: Ballot 190 - Recording BR Version Number

Kirk Hall Kirk.Hall at entrustdatacard.com
Mon Aug 14 15:38:21 UTC 2017


+1.  While I like aspects of Wayne's proposal, it does add complexity, and in the end it shouldn't be that hard for each CA to come up with method(s) to track which validation method was used (which inherently includes which version number -- presumably the version number in effect at the time of validation).

Again, it is possible for us to create a tracking list as a table to the BRs that is not part of the official text of the BRs, but is there to help CAs keep track of changes to each method and their effective dates.

-----Original Message-----
From: Ben Wilson [mailto:ben.wilson at digicert.com] 
Sent: Monday, August 14, 2017 8:30 AM
To: Gervase Markham <gerv at mozilla.org>; Wayne Thayer <wthayer at godaddy.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>; Kirk Hall <Kirk.Hall at entrustdatacard.com>
Subject: RE: [cabfpub] [EXTERNAL]Re: Ballot 190 - Recording BR Version Number

Just a thought, for what it's worth.  I'd rather keep audit compliance and ballot drafting simple and only state, "the CA shall maintain a record of which domain validation method they used to validate every domain."  Doesn't that implicitly encompass tracking the BR version number?  Can't we leave it up to CAs to choose a tracking method without over-proscribing?  Otherwise I anticipate an auditor coming in and asking to look at my database to confirm that I've listed every BR version number with which the validation performed complied.

Ben


-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Monday, August 14, 2017 8:54 AM
To: Wayne Thayer <wthayer at godaddy.com>; Ben Wilson <ben.wilson at digicert.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>; Kirk Hall <Kirk.Hall at entrustdatacard.com>
Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot 190 - Recording BR Version Number

On 01/08/17 22:58, Wayne Thayer wrote:
> This led me to propose a version number embedded in section 3.2.2.4 of 
> the BRs that covers either all validation methods or one for each 
> method – it doesn’t matter to me.

I can see the value and clarity of this approach. I would prefer that there be one version number per method. (Just as individual ACME methods are versioned; same idea.)

I agree that semantically one can achieve the same result by recording the BR version number one is following, although one then needs to do some textual comparisons to see whether CA Foo using method 3.2.2.4.6 as of BRs 1.7.8 is actually using the same method as CA Bar using method
3.2.2.4.6 from BRs 1.8.3, or not.

The question is whether there is a sufficient additional clarity advantage in this system to make it worth implementing.

Gerv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6483 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170814/685a3ce4/attachment-0003.p7s>


More information about the Public mailing list