[cabfpub] Send us you list of current problems with the Network Security Guidelines

Ben Wilson ben.wilson at digicert.com
Tue Jun 13 22:17:03 UTC 2017


I have the Network and Certificate System Security Requirements in Excel spreadsheets and Word documents with annotations based on previous comments/criticisms and then with references comparable provisions in WebTrust and ETSI (TS 102 042).  How would you like to use them?


-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Kirk Hall via Public
Sent: Tuesday, June 13, 2017 2:41 PM
To: Gervase Markham <gerv at mozilla.org>; CA/Browser Forum Public Discussion List <public at cabforum.org>; Ryan Sleevi <sleevi at google.com>
Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Subject: Re: [cabfpub] Send us you list of current problems with the Network Security Guidelines

I'm still uncertain what the logic is behind objections to collecting NetSec comments from people (can be CAs, auditors, even browsers) in a master list, as opposed to making people post their concerns directly in their own names - that has not been spelled out.  And I would note that both Google and Mozilla allow people to post materials, including detailed proposals and criticisms, etc., using pseudonyms - if that form of anonymity is acceptable on Google and Mozilla lists for important matters, it would seem collecting comments in a combined document for this project would be acceptable here as well, especially for a sensitive topic.  I would think "good ideas" would be welcome, however the ideas are provided.

Peter touched on the main reasons why I have offered to combine suggested changes to the NetSec guidelines - after which they would be posted immediately to the Public list, not the private Management list.  In addition, some CAs might feel that in the process of describing why a particular requirement is difficult (and unneeded) for them, they may simultaneously be telling the world about their internal security configurations, etc.

So to be clear - the compilation, once complete, will go up first on the Public list.  And anyone who wants to post suggested changes directly to the public list in their own name is welcome to do so.  I'm simply offering an alternative for those who want it.  The ideas will all be in the public domain immediately thereafter.

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Monday, June 12, 2017 8:42 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>; Ryan Sleevi <sleevi at google.com>
Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Subject: Re: [cabfpub] [EXTERNAL]Re: Send us you list of current problems with the Network Security Guidelines

On 10/06/17 05:54, Kirk Hall via Public wrote:
> Why do you think it’s detrimental to discussion – I don’t follow your logic?

<elide back and forth>

Is this a question of whether we should default to public or default to private? If so, I think that CAB Forum practice is clear - we should default to public, and those wanting to keep things concealed have the burden of proof.

As well as the principle, in this case anonymous reports are practically less helpful because you can't ask someone "so, what did you mean by that exactly?".

Gerv

_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4974 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170613/01c38565/attachment-0001.p7s>


More information about the Public mailing list