[cabfpub] Ballot 213 - Revocation Timeline Extension

Ryan Sleevi sleevi at google.com
Wed Sep 13 19:03:33 UTC 2017


On Wed, Sep 13, 2017 at 2:52 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:

> I agree with the goal of getting this information out there, and using the
> CAB Forum this way seems in scope. Per the bylaws: “Members of the
> CA/Browser Forum have worked closely together in defining the guidelines
> and means of implementation for best practices as a way of providing a
> heightened security for Internet transactions and creating a more intuitive
> method of displaying secure sites to Internet users.” (Section 1)
>
>
>
> However, I’m struggling to see why the CAB Forum would want to collect
> this info as a requirement rather than allowing CAs to submit the
> information voluntarily when there are questions.  Usually, we require the
> location of the disclosure be set in the CPS/CP, not as an email to the CAB
> Forum.  Shouldn’t we follow that format here?
>

Because this is an industry problem - and it's one that is either
facilitated by or stymied by the collective Baseline Requirements and Root
Program Requirements.

Our goals in Internet Security should be to establish a consistent baseline
in the application of policies and practices. While we can disclose those
in CP/CPS, that doesn't do anything to align consistency or promote
information sharing. What we're discussing about is sharing information
related to the challenges of adhering to the minimum required policies and
practices, so we can improve both.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170913/fed2cce3/attachment-0003.html>


More information about the Public mailing list