[cabfpub] Ballot 190

Jeremy Rowley jeremy.rowley at digicert.com
Tue May 2 20:59:21 UTC 2017

Okay. Based on the discussion, I propose we do the following to move things forward:


1.	Include an extension in the EE certs indicating compliance with a certain version of the BRs. This addresses Ryan’s concerns of knowing which certs were issued under new methods compared to relying on older documentation.
2.	Permit document reuse for 13 months after which all certs must be validated using one of the new methods. This addresses Kirk’s concern of having to revalidate every customer as of the effective date, permitting roughly half to expire while the other half are revalidated.


Does this make everyone equally unhappy?




From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Tuesday, May 2, 2017 12:43 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>; Gervase Markham <gerv at mozilla.org>
Subject: Re: [cabfpub] Ballot 190


Just to be clear: My initial proposal was simply to indicate "All information in this certificate has been validated in accordance with the explicit methods in Version X"


That is, even if information is reused, that the information was compatible with version X. If version X+1 or X+3 changes things substantially - but still permits reuse of Version X data - then you'd continue to assert Version X. If Version X+3's validation was still compatible with Version X (perhaps it added a new method, or changed something unrelated), you could assert either X, X+1, X+2, or X+3 and still be in full compliance. Asserting X+3 is, of course, a stronger security assurance, but asserting X is still compliant/compatible :)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170502/5c57bdcc/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170502/5c57bdcc/attachment-0001.p7s>

More information about the Public mailing list