[cabfpub] Ballot 213 - Revocation Timeline Extension

Ryan Sleevi sleevi at google.com
Tue Oct 10 09:53:06 MST 2017


On Thu, Sep 21, 2017 at 1:38 PM, Gervase Markham <gerv at mozilla.org> wrote:

> On 20/09/17 01:26, Ryan Sleevi wrote:
> > I appreciate your suggestion of a solution, but I'm not quite sure I
> > understand your concerns. Apologies for that, but it would be great if
> > you could elaborate why you feel it may be "overreaching". I had hoped
> > my explanation provided context how it's both relevant and applicable to
> > the activities of the CA/Browser Forum, and independent of any
> > particular Root Stores perspective.
>
> That was responding to a point made by you; you said it might be
> inappropriate for the CAB Forum to require posting to m.d.s.p. And I
> agree - it's outside the CAB Forum's remit. This is what I meant by the
> "overreaching" I was avoiding. My proposed solution is that the BRs
> require the existence of the report, and the root program requirements
> say where it needs to be placed.
>

Do you see a problem with the BRs requiring it be posted to a CABF list?
That is, could you elaborate on what the advantages are of having multiple
root programs require disclosure versus providing a central clearing house?


> > In this context, I think it's useful to consider what is fundamentally a
> > very simple proposal:
> > - the CA/B Forum can establish a list that allows publishing of such
> reports
> > - The Baseline Requirements require posting such results to that list
>
> I'm ambivalent. It's one more thing for a CA to remember to do, and as
> a root program person who will be requiring them to be sent to me
> anyway, it doesn't add value for me. But I have no strong objection :-)
>

I see - so your position is that even in the existence of a mechanism to
centrally disclose such events, you would still require independent
disclosure?

Would you agree that there is separate value from having a root store
disclosure (which can affect how the root program itself behaves with
respect to a particular member) versus having an open, public disclosure in
a vendor-neutral way (which can allow for improvements to the BRs and
identifying problematic scenarios in a vendor-neutral way)?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20171010/578a9097/attachment.html>


More information about the Public mailing list