[cabfpub] Ballot 190 - Recording BR Version Number

[Ryan Sleevi]

On Fri, Jul 21, 2017 at 12:30 AM, Wayne Thayer via Public
<public at cabforum.org> wrote:
> given CAs are already required to annually review their CP/CPS
> [WT] I find it difficult to believe that it would be considered acceptable for a CA to wait [up to] a year to update the version number of a validation method after a material improvement is made to that method.

Given that they attest compliance with the current versions of the
BRs, all CAs (both WebTrust and ETSI) are obligated to be tracking
what goes on in the Forum. It just sets the upper-bound of the delta
as one year, if a CA fails to do that.

>
> do you believe Gerv's response is not a perfectly reasonable and easy to accomplish approach?
> [WT] I assume that you mean this approach:
> The BRs themselves require that you comply with the latest published
> version. So I would expect that, each time a new version is released,
> CAs evaluate the changes and plan to update their systems accordingly.
> If the changes are material to domain validation, I would expect part of
> that update to be changing the recording system to record that you are
> now compliant with the new BR version. If they are not material to
> domain validation, I would expect that update to be optional - in other
> words, recording "1.7.3/3.2.2.4.15" may be exactly the same as recording
> "1.7.4/3.2.2.4.15".
>
> [WT]Gerv’s suggestion is a reasonable interpretation, but another reasonable interpretation is that CAs must increment the version number of the BRs that they log every single time the BRs are updated, regardless of what has changed. That interpretation is arguably supported by the requirement that CA’s commit comply with the latest version of the BRs in the CPS.

I see - so the situation is not that the review is difficult or
onerous (and it's benefited by the change log in the document) - just
that after every increment of the BRs, CAs may need to update their
system to record "We comply with version Y, not version X".

Is that difficult to do? I would think it would be a routine thing
already going on today with your Compliance teams, since independent
of any changes to the language, every change requires review from
Compliance against the CP/CPS to ensure that the CA's practices and
policies do indeed coincide with what are present in the currently
published BRs.

The only thing it would seem to change is that, at the end of that,
they update a single flag in the system to say "BR 1.5.0" instead of
"1.4.9". I didn't think it would be more than that?

> It would be useful to understand, given all the existing tools and practices, what's missing.
> [WT] Updating the version number of each validation method every time the BRs change for any reason is burdensome and provides no value. What’s missing for me is a clear signaling mechanism that a material change has been made to a validation method. My original email referenced ballot 202 as a concrete example.

I'm not sure I follow this - on the material change. Isn't the
question about whether or not a change is material largely dependent
upon what an individual CA's CP/CPS states they do, and how well that
aligns or doesn't align?

That is, consider a change to a BR method that a CA does not use. Is
that change material or immaterial? To the CA, it's immaterial. If
only one CA uses that method, it's material to them - but can it be
said to be material to the BRs, if it affected only a single party?

We have small language corrections that affect only one party, but we
mostly treat those as immaterial - usually because it's a
clarification of intent that was well-understood by other CAs.

So that's why I struggle with material versus immaterial, and perhaps
naively assumed that upon every ballot, a CA goes through its
Practices and Policies to review the changes impact on them, and to
make the necessary changes. Ideally, they do this well before it
passes - such as during the pre-discussion phase - to inform and
enlighten whether or not it represents a material change.