[cabfpub] Ballot 190 - Recording BR Version Number

Kirk Hall Kirk.Hall at entrustdatacard.com
Mon Jul 24 11:22:51 MST 2017 

I don't agree that CAs would be insulted -- legislatures around the world regularly create and publish tables showing when each section of a statutory code (read: BR Sections) was last amended, and by what public law (read: Ballot) - it can be a useful reference.

But I do agree with you we wouldn't want tables, etc. to get out of sync.  This topic came up originally because of something Wayne posted - let's just wait a bit and see if CAs in the Forum feel a table would or would not be useful in keeping up with changes and knowing what the latest version of each validation rule is.

-----Original Message-----
From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Monday, July 24, 2017 10:36 AM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Cc: Ben Wilson <ben.wilson at digicert.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot 190 - Recording BR Version Number

Isn't that somewhat insulting to CAs around the world? That in order to prevent misissuance, it's necessary to include a second table listing changes (since 1.2.1 already enumerates when those sections are modified, and 1.2.2 notes the effective dates), for ballots that would have been discussed in the Forum for no less than 44 days (Ballot Review + Vote + IP)?

If, in the span of 44 days, a CA does not have sufficient time to recognize a change is happening, should they even be a trusted CA?

In case it's not clear, I'm specifically trying to avoid a situation where one section is updated, but another is not (which is, sadly, an occurrence all too frequent, especially when Ballots are rushed through), and a CA claiming "Well, you didn't update the table, therefore it wasn't clear that I needed to review things." A CA is always on the hook to review every single ballot to understand if it affects them. If a CA is unable to do this during the discussion, and is unable to do this during voting, and is unable to do this during IP review, why would we believe that an (additional) listing would help them?

On Fri, Jul 21, 2017 at 8:25 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com> wrote:
> It would list the 10 methods, and the most recent change data and version number for easy reference.  Again, easy to do, and might help CAs around the world avoid mistakes.
>
> -----Original Message-----
> From: Ryan Sleevi [mailto:sleevi at google.com]
> Sent: Friday, July 21, 2017 11:38 AM
> To: Kirk Hall <Kirk.Hall at entrustdatacard.com>
> Cc: Ben Wilson <ben.wilson at digicert.com>; CA/Browser Forum Public 
> Discussion List <public at cabforum.org>
> Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot 190 - Recording BR Version 
> Number
>
> How would that be different than the table in 1.2.1?
>
> On Fri, Jul 21, 2017 at 2:26 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com> wrote:
>> Yes, or even a table at the end of the BRs - easy to do.
>>
>> -----Original Message-----
>> From: Ben Wilson [mailto:ben.wilson at digicert.com]
>> Sent: Friday, July 21, 2017 8:20 AM
>> To: Ryan Sleevi <sleevi at google.com>; CA/Browser Forum Public 
>> Discussion List <public at cabforum.org>; Kirk Hall 
>> <Kirk.Hall at entrustdatacard.com>
>> Subject: RE: [cabfpub] [EXTERNAL]Re: Ballot 190 - Recording BR 
>> Version Number
>>
>> Maybe someone could provide an example of how the BR version number would appear at the  end of each validation method?  For example, would it look like this?
>> [BR 1.5.0]  - with the implication that the method was allowed as of BR v. 1.5.0 going forward until the current version of the BRs?  If the method were changed, would someone need to keep track that the language was XYZ from version 1.4.6 through version 1.5.4?
>> Thanks,
>> Ben
>>
>> -----Original Message-----
>> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ryan 
>> Sleevi via Public
>> Sent: Friday, July 21, 2017 9:08 AM
>> To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum 
>> Public Discussion List <public at cabforum.org>
>> Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot 190 - Recording BR 
>> Version Number
>>
>> Hi Kirk,
>>
>> As we saw from the discussions of Ballot 190, the inclusion of additional information "for clarity's sake" can have the deleterious side-effect of changing both the meaning and interpretation. The clarifications that had previously been proposed had notable issues they introduced.
>>
>> So I don't think we can say there is no harm - and, in general, it means even more work to maintain these documents - so I'm hoping we can find a situation in which there is a single, well-understood path, rather than attempting to restate it several times. Given that these represent technical standards documents, and understanding that it takes a degree of professional expertise to understand and interpret them (much like any other standards document), it doesn't seem entirely unfair to suggest that there may be elements that are difficult for the lay-person, provided that they're unambiguous for the practitioners.
>>
>> On Fri, Jul 21, 2017 at 11:02 AM, Kirk Hall via Public <public at cabforum.org> wrote:
>>> Meant for public list -- see my response below.
>>>
>>> -----Original Message-----
>>> From: Ryan Sleevi [mailto:sleevi at google.com]
>>> Sent: Thursday, July 20, 2017 6:09 PM
>>> To: Kirk Hall <Kirk.Hall at entrustdatacard.com>
>>> Subject: Re: [EXTERNAL]Re: [cabfpub] Ballot 190 - Recording BR 
>>> Version Number
>>>
>>> Hi Kirk,
>>>
>>> Did you mean to omit the list?
>>>
>>> On Thu, Jul 20, 2017 at 9:08 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com> wrote:
>>>> The two responses (Gerv's and mine) are not in conflict, and there is no harm in including the extra information in the BRs.  I'm a big believer in helping people avoid mistakes when it's easy to do.
>>>>
>>>> -----Original Message-----
>>>> From: Ryan Sleevi [mailto:sleevi at google.com]
>>>> Sent: Thursday, July 20, 2017 6:02 PM
>>>> To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum 
>>>> Public Discussion List <public at cabforum.org>
>>>> Cc: Wayne Thayer <wthayer at godaddy.com>
>>>> Subject: [EXTERNAL]Re: [cabfpub] Ballot 190 - Recording BR Version 
>>>> Number
>>>>
>>>> Kirk,
>>>>
>>>> Given that the Forum already publishes its Ballots - and keeps track of changes within the documents - and given CAs are already required to annually review their CP/CPS (in addition to following the current published version), do you believe Gerv's response is not a perfectly reasonable and easy to accomplish approach?
>>>>
>>>> It would be useful to understand, given all the existing tools and practices, what's missing.
>>>>
>>>> On Thu, Jul 20, 2017 at 8:19 PM, Kirk Hall via Public <public at cabforum.org> wrote:
>>>>> Wayne, I think your idea has merit in this special situation – and 
>>>>> it’s something we can probably accomplish without a ballot.
>>>>>
>>>>>
>>>>>
>>>>> Statute books commonly have notations at the end of each statute 
>>>>> showing all the times the statute was amended – often it will show 
>>>>> year and public law number (in “reverse” order with the most 
>>>>> recent
>>>>> first) so users can go back and find each law that affected a current statute.
>>>>>
>>>>>
>>>>>
>>>>> When we compile the BRs after Ballot 190 passes, we can put the BR 
>>>>> version number where each of the 10 methods was LAST amended by 
>>>>> the Forum.  That way, a CA who looks at the most recent BR 
>>>>> compilation will know which methods have been recently amended, 
>>>>> and which have not.  No one has to use this information, but it 
>>>>> would be easy to include in a footnote at the end of BR 3.2.2.4, and update when there is any further change.
>>>>>
>>>>>
>>>>>
>>>>> Ben and I will discuss after Ballot 190 has passed.
>>>>>
>>>>>
>>>>>
>>>>> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of 
>>>>> Wayne Thayer via Public
>>>>> Sent: Tuesday, July 18, 2017 6:32 PM
>>>>> To: public at cabforum.org
>>>>> Subject: [EXTERNAL][cabfpub] Ballot 190 - Recording BR Version 
>>>>> Number
>>>>>
>>>>>
>>>>>
>>>>> Ballot 190 Includes the following statement in 3.2.2.4:
>>>>>
>>>>>
>>>>>
>>>>> The CA SHALL maintain a record of which domain validation method, 
>>>>> including relevant BR version number, they used to validate every domain.
>>>>>
>>>>>
>>>>>
>>>>> While I understand the logic behind this, I’m concerned about the 
>>>>> “relevant BR version number”. This could be interpreted in a number of imprecise ways.
>>>>> For instance, does ballot 202 require CAs to update their system 
>>>>> to record compliance with changes to the definitions in some of the methods?
>>>>>
>>>>>
>>>>>
>>>>> I suggest that we add version numbers to each of the 10 validation 
>>>>> methods listed in the BRs and require CAs to record compliance 
>>>>> with a specific version of the validation method for each domain 
>>>>> they validate. This allows ballot authors to explicitly increment 
>>>>> the version number of a given method when a material change is 
>>>>> made, and provides clear guidance to CAs on what version number to record.
>>>>>
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>>
>>>>>
>>>>> Wayne
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Public mailing list
>>>>> Public at cabforum.org
>>>>> https://cabforum.org/mailman/listinfo/public
>>>>>
>>> _______________________________________________
>>> Public mailing list
>>> Public at cabforum.org
>>> https://cabforum.org/mailman/listinfo/public
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list