[Servercert-wg] SC 20 (v2) / Level of detail of motivation

Ryan Sleevi sleevi at google.com
Thu Oct 3 10:01:04 MST 2019


Hi Tobias,

Thanks for providing some of the motivation. I'm sure, for someone deeply
involved in the Subcommittee, it might seem like this provides an adequate
level of detail. However, as someone seeing this as a ballot, there's an
incredible amount of context lacking for this, even with the provided
information.

For example, the motivation suggests that systems are "too complex to
perform a meaningful human review", yet it completely does not provide any
details about how human review is eliminated by this proposal. Similarly,
it provides no context about what is intended by "continuously monitor" -
what are examples seen as positive and what are examples seen as negative.
I'm sure this was discussed in the Subcommittee, because this seems like
basic stuff when proposing language, so perhaps you can point to those
discussions, rather than rephrase them?

What's missing here, from this, is understanding how the proposed Problem
(which basically seems to be "WebTrust TF thought we should change it") is
solved by the proposed solution.

It's not clear to me, for example, why reviewing the changes to the
configurations is too complex. Are CAs regularly and routinely changing
configuration so often that it's untenable to review?

On Thu, Oct 3, 2019 at 12:42 PM Tobias S. Josefowitz <tobij at opera.com>
wrote:

> Hi Ryan,
>
> in light of the concerns you raised in the SCWG telco today regarding the
> level of detail in the motivation of SC 21, I was wondering if you might
> be inclined to give us some input regarding SC 20 (v2) *before we put it
> into discussion period*. Not sure if that might be a bit silly because
> that is what a discussion period is for, but then we have received no such
> input during the SC 21 discussion period.
>
> This commit:
>
> https://github.com/tobij/documents/commit/745fef7bdb89dbc70546afe4aa47b235d99b4247
> has the motivation we so far thought appropriate given we have thoroughly
> minimized the change (whether this minimization is appropriate might be a
> topic for the discussion period, however I do not want to discourage any
> input).
>
> Tobi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191003/3bd005ba/attachment.html>


More information about the Servercert-wg mailing list