[cabfpub] Ballot 107 - Removing version numbers to WebTrust andETSI standards from CABF Guidelines (EVG and BR)

Atsushi Inaba atsushi.inaba at globalsign.co.jp
Thu Aug 8 14:53:39 UTC 2013


GlobalSign votes YES.


Kind regards,
Atsushi Inaba


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Mads Egil Henriksveen
Sent: Wednesday, July 31, 2013 4:21 AM
To: ben at digicert.com; i-barreira at izenpe.net; md at ssc.lt; sigbjorn at opera.com
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 107 - Removing version numbers to WebTrust
andETSI standards from CABF Guidelines (EVG and BR)

Hi

I think the Implementers' Note is ok for now. It says that the BRs are
incorporated into the WebTrust and ETSI 102 042 standards at some point in
time. We could write some additional text explaining how the BR and the
standards will be synced in the future, but I don't think this is necessary
- for this ballot. 

And I am not sure if it's necessary to delete the version number for the
FIPS 140-2 standard. This is a long term and more stable standard than the
audit documents (which will be changed regularly and synced with the BR).

Besides this, I am happy with the redlined versions of the BR and EVG.

Mads


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: 30. juli 2013 17:59
To: i-barreira at izenpe.net; md at ssc.lt; sigbjorn at opera.com
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 107 - Removing version numbers to WebTrust
andETSI standards from CABF Guidelines (EVG and BR)

We could, but we might want to rewrite the paragraph and explain it more.
The reason for being more specific here is to reference ETSI or WebTrust
with the past version relied upon.  When the auditors come out with their
new version, then we'll re-sync with the next delta of the guideline (rather
than publishing errata as we used to do).  I'm trying to address the fact
that whenever this topic comes up during our meetings people say that we
aren't clear enough with how to bridge between guidelines and audit
criteria.  If someone can re-write the paragraph before we start voting on
this ballot (COB Friday), then we can make that change.   

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of i-barreira at izenpe.net
Sent: Tuesday, July 30, 2013 12:53 AM
To: ben at digicert.com; md at ssc.lt; sigbjorn at opera.com
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 107 - Removing version numbers to WebTrust
andETSI standards from CABF Guidelines (EVG and BR)

I´m ok but I´d also change in the BR-ballot-107.pdf document, at the
beginning, in "implementers´ note" the references to the versions that are
made regarding the webtrust and ETSI docs


Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net
945067705


ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea.
Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki
idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna.
KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la
que solo tiene derecho a acceder el destinatario. Si usted lo recibe por
error le agradeceriamos que no hiciera uso de la informacion y que se
pusiese en contacto con el remitente.

-----Mensaje original-----
De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En
nombre de Ben Wilson Enviado el: martes, 30 de julio de 2013 2:03
Para: 'Moudrick M. Dadashov'; 'Sigbjørn Vik'
CC: public at cabforum.org
Asunto: Re: [cabfpub] Ballot 107 - Removing version numbers to WebTrust
andETSI standards from CABF Guidelines (EVG and BR)

In this ballot I think we were moving away from supplying URLs, and while we
could put in generic references to where to go (e.g. "
http://www.etsi.org/standards" or " http://www.webtrust.org"), I think most
people will be able to track down the most current versions through Internet
search.   In response to  Sigi's comment, what if we put the following
parenthetical just below BR 3.0 References-- "(Please refer to the latest
official version of these publications.)"  ?    I also don't want to say we
always require the most current version--it depends on the group publishing
the reference.  For instance, a cryptomodule certified using FIPS 140-2 is
not obsoleted simply because 140-3 is adopted.  (I'm proposing that along
with the other changes being made that "-2" and "May 25, 2001" be removed
from the FIPS 140 reference.)  There are a few additional changes in the
attached PDFs that differ slightly from the wording in the ballot that was
sent out.  If these redlines are acceptable to the sponsor/endorsers, then
we can make the changes on the wiki accordingly.

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Moudrick M. Dadashov
Sent: Saturday, July 27, 2013 7:47 AM
To: Sigbjørn Vik
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 107 - Removing version numbers to WebTrust and
ETSI standards from CABF Guidelines (EVG and BR)

On 7/27/2013 4:08 PM, Sigbjørn Vik wrote:
> On 27-Jul-13 01:28, Ben Wilson wrote:
>> Ballot 107 - Removing version numbers to WebTrust and ETSI standards 
>> from CABF Guidelines (EVG and BR)
>>
>> Mads Henriksveen made the following motion, and iñigo Barreira from 
>> Izenpe, and Kirk Hall from Trend Micro endorsed it:
> I am in favor of clarifying the text, and minimizing any maintenance 
> needs. Do we need to specify somewhere that whenever we reference 
> another document, we reference the latest version?
>
> E.g. the following:
>> The CA SHALL undergo an audit in accordance with one of the following
>> schemes:
>> 1. WebTrust Program for Certification Authorities audit;
> [...]
> Could easily be read as any version will suffice.
>
> An introduction in the references section explaining that we always 
> refer to the latest official version would presumably cover this.
>
good point,  Sigbjørn,  or at least indicate URLs where the current versions
can be found.

Thanks,
M.D.
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5501 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130808/0b922e6c/attachment.p7s>


More information about the Public mailing list