[Servercert-wg] Draft Ballot for Cleanups

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Mon Oct 21 11:01:34 MST 2019 


On 2019-10-21 8:35 μ.μ., Ryan Sleevi wrote:
>
>
> On Mon, Oct 21, 2019 at 1:15 PM Dimitris Zacharopoulos (HARICA) 
> <dzacharo at harica.gr <mailto:dzacharo at harica.gr>> wrote:
>
>     The BRs are supposed to be guidelines for CAs that want to issue
>     publicly-trusted certificates and for Relying Parties to be able
>     to verify these Certificates. We want good guidance to come from
>     these documents as if there were no Root programs.
>
>
> I'm not sure who the "we" is, but this certainly is not a universally 
> shared value.

Forgive me for not being so accurate. "we" as in "the CA/B Forum". I 
thought it would be an uncontroversial statement because despite the 
different perspectives between Browsers and CAs, "we" (CAs and Browsers) 
are still working together in the Forum for the common good.

>     If the BRs were "perfect", some Root programs wouldn't need to
>     have additional requirements.
>
>
> This is a particular problematic statement. It's extremely useful to 
> understanding your perspective and the concern with 1.1, and I would 
> hate that a Cleanup Ballot would become the means of litigating this, 
> so I'd like to suggest we table it, for now. The best I can say is 
> that the view advanced here has been a leading cause of problems, and 
> is not one shared.
>
> However, consistent with our Bylaws, we need to emphasize that these 
> requirements - and the CA/Browser Forum - does not impose anything 
> upon any one. I hope you can see that the statement, as it exists, is 
> wholly in line with our existing Bylaws.

I am still not sure why you are repeating that. It is very clear from 
section 1.1. of the Baseline Requirements that "The requirements are not 
mandatory for Certification Authorities unless and until they become 
adopted and enforced by relying-party Application Software Suppliers."

Are you concerned that I might be challenging that? I am not.

I made an observation about the last sentence of the first paragraph of 
section 1.1 of the BRs that I have seen misunderstood/misinterpreted in 
several bugs created and shared in m.d.s.p., where CAs considered the 
Baseline Requirement rules as having to be "audited" end enforced the 
moment they join a Root program. I thought this is something that needs 
to be fixed. I will probably create an issue on GitHub and keep it there 
until we can discuss in the future.

Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191021/87a8ac2d/attachment.html>

More information about the Servercert-wg mailing list