[Servercert-wg] SC 20 (v2) / Level of detail of motivation

Wayne Thayer wthayer at mozilla.com
Thu Oct 3 11:44:51 MST 2019 

I'd also like some more information, such as what the WebTrust audit
criteria might be under this change. My concern here is whether or not a CA
with the desire to do the minimum possible could define "continuous
monitoring" to be something that's completely ineffective to actually
"determine
whether any changes violated the CA’s security policies" and that absolves
them of any responsibility to respond to this type of problem.

On Thu, Oct 3, 2019 at 10:01 AM Ryan Sleevi via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Hi Tobias,
>
> Thanks for providing some of the motivation. I'm sure, for someone deeply
> involved in the Subcommittee, it might seem like this provides an adequate
> level of detail. However, as someone seeing this as a ballot, there's an
> incredible amount of context lacking for this, even with the provided
> information.
>
> For example, the motivation suggests that systems are "too complex to
> perform a meaningful human review", yet it completely does not provide any
> details about how human review is eliminated by this proposal. Similarly,
> it provides no context about what is intended by "continuously monitor" -
> what are examples seen as positive and what are examples seen as negative.
> I'm sure this was discussed in the Subcommittee, because this seems like
> basic stuff when proposing language, so perhaps you can point to those
> discussions, rather than rephrase them?
>
> What's missing here, from this, is understanding how the proposed Problem
> (which basically seems to be "WebTrust TF thought we should change it") is
> solved by the proposed solution.
>
> It's not clear to me, for example, why reviewing the changes to the
> configurations is too complex. Are CAs regularly and routinely changing
> configuration so often that it's untenable to review?
>
> On Thu, Oct 3, 2019 at 12:42 PM Tobias S. Josefowitz <tobij at opera.com>
> wrote:
>
>> Hi Ryan,
>>
>> in light of the concerns you raised in the SCWG telco today regarding the
>> level of detail in the motivation of SC 21, I was wondering if you might
>> be inclined to give us some input regarding SC 20 (v2) *before we put it
>> into discussion period*. Not sure if that might be a bit silly because
>> that is what a discussion period is for, but then we have received no
>> such
>> input during the SC 21 discussion period.
>>
>> This commit:
>>
>> https://github.com/tobij/documents/commit/745fef7bdb89dbc70546afe4aa47b235d99b4247
>> has the motivation we so far thought appropriate given we have thoroughly
>> minimized the change (whether this minimization is appropriate might be a
>> topic for the discussion period, however I do not want to discourage any
>> input).
>>
>> Tobi
>>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191003/7d435e29/attachment-0001.html>

More information about the Servercert-wg mailing list