[Servercert-wg] Proposal to address ballot effective date problem

Tim Hollebeek tim.hollebeek at digicert.com
Wed Oct 17 14:47:19 MST 2018


Mike, 

 

PCI is an example of an organization that publishes on a defined, regular schedule that is announced in advance.

 

-Tim

 

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Mike Reilly (GRC) via Servercert-wg
Sent: Wednesday, October 17, 2018 5:25 PM
To: Richard Smith <rich at comodoca.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>; sleevi at google.com
Subject: Re: [Servercert-wg] Proposal to address ballot effective date problem

 

Richard, this seems like a logical approach to me and would greatly simplify things for the ecosystem.  You had mentioned that other organizations use this approach as a best practice.  Can you refresh my memory on which organizations follow this approach?   Thanks, Mike

 

From: Servercert-wg <servercert-wg-bounces at cabforum.org <mailto:servercert-wg-bounces at cabforum.org> > On Behalf Of Richard Smith via Servercert-wg
Sent: Thursday, October 18, 2018 1:26 AM
To: sleevi at google.com <mailto:sleevi at google.com> ; servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> 
Subject: Re: [Servercert-wg] Proposal to address ballot effective date problem

 

Dates/time between freezing the version and publication can be debated.  I think this addresses the same problem as the alternate proposal in a better way.  CAs don’t have to try to keep track of arbitrary dates.  We will know well ahead of time what to expect and when to expect it.  It also makes life significantly easier for the maintainers of the documents and the web site administrators because they won’t have to push out new publications on an arbitrary and random basis.  I think this would solve a host of problems just like version control and development scheduling in software does.

 

Regards,

Rich

 

From: Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> > 
Sent: Wednesday, October 17, 2018 3:11 AM
To: Richard Smith <rich at comodoca.com <mailto:rich at comodoca.com> >; servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> 
Subject: Re: [Servercert-wg] Proposal to address ballot effective date problem

 

Could you specifically explain the benefits you see for such a fixed schedule? It seems the only real element of the discussion today that this is addresses is that it allows for as little as two weeks from the adoption of a ballot to enforcement.

 

It seems like the alternative proposal offered - to set a common fixed expectation - is more beneficial to the CAs and the auditors tasked with actually performing those assessments (as opposed to developing the criteria). That is, ballots that complete the IP review will be consistently brought into force 30 days later, unless there is a specific consideration mentioned in the ballot.

 

I can't help but feel your proposal is optimizing for a different problem, one which wasn't discussed, and so I fear I may be missing what you believe the additional value compared to the other proposal.

 

On Wed, Oct 17, 2018 at 3:01 AM Richard Smith via Servercert-wg <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> > wrote:

As discussed at the Shanghai F2F today, there is a lot of confusion around ballot effective date and the current procedure is difficult to follow.

 

To fix the problem I propose that we move to a quarterly release schedule for both BR and EVG using the following method:

1.	Dates of publication:

a.	February 1: Will include ballots which complete IPR review between October 16 and January 15
b.	May 1: Ballots which complete IPR review between January 16 and April 15 
c.	August 1: Ballots which complete IPR review between April 16 and July 15
d.	November 1: ballots which complete IPR review between July 16 and October 15

Ballot effective date will be the date upon which the BR or EVG containing it is published unless otherwise specified in the ballot itself and voted upon accordingly.  We need to keep the ability to specify an alternate date in the ballot in order to address critical items more quickly if necessary and also to allow additional time for some items if that is deemed necessary.

 

I also think this type of scheduled publication will help our associates at WebTrust and ETSI to track changes and get them incorporated into their audit criteria more smoothly.

 

Regards,

Rich Smith

Senior Compliance Manager

ComodoCA.com

 

_______________________________________________
Servercert-wg mailing list
Servercert-wg at cabforum.org <mailto:Servercert-wg at cabforum.org> 
http://cabforum.org/mailman/listinfo/servercert-wg <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=02%7C01%7CMike.reilly%40microsoft.com%7Cd70de682346b4bc0f6b808d63455a19a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636753939754709469&sdata=mfzYKWzkOmKMSxaQZ1C%2BUVOXlKVLDv3aAJam3ADO7zY%3D&reserved=0> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181017/abf4887f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181017/abf4887f/attachment-0001.p7s>


More information about the Servercert-wg mailing list