[cabfpub] Policy Review Working Group Update

[Ben Wilson]

Since there have been several comments over the past few days with regard to
Ballot 170, a product of the  Policy Review Working Group, I thought I'd
provide a quick response to  some of them: 

 

(1) ballot 170 did not use industry-adopted standards,

 

(2) those involved lack the expertise to develop/adopt good language, 

 

(3) the Baseline Requirements should only address certificate issuance and
not security management, and

 

(4) there  was concern about the future direction of proposals.  

 

First, the language chosen by working group was drawn mainly from the NIST
IR 7924 document.   Members of the working group reviewed several other
documents (including WebTrust  and ETSI) and determined that, at least for
the ballot at hand, the NIST document reflected the standards in those
documents at a level appropriate for the baseline requirements.  The working
group intends to revisit other standards, and we're open to suggestions if
anyone has any. 

 

Second, nearly all members of the working group have at least 10 years of
experience working with information security and PKI policy documents in
various capacities.  We've read and re-read security standards, RFP
requirements, legal and  regulatory requirements, etc.   I think we have
sufficient skill - even if some of the  language isn't the best  (Sometimes
the language chosen was not modified because  that is  how it was stated in
the source document.)  The appropriate remedy for unartful language  would
be to recommend improvements or for the commenter to indicate potential
support of the provisions if improvements to the language were made.   

 

Third, the ballot chartering the working group states,

During the CAB Forum face-to-face meeting, we discussed creating a working
group to compare the NIST IR proposal and various with the existing CAB
Forum work product. The group will also continue our contemplation on
converting to a 3647 format to make future comparisons easier.

 

Many of the ideas encompassed in these other standards documents are great
ideas that could improve the BRs, EV Guidelines, or Network Security
Guidelines. Although the Forum may not adopt the specific language presented
in these documents, we certainly can use the previous work product as a
starting point for discussion. This group is tasked with identifying those
starting point and either bringing them to the main CAB Forum or making
recommended ballot proposals.

 

Most CPs, including the NIST IR, are formatted in a 3647 format. The BRs are
a CP that lacks this format. Having the CAB Forum use an RFC-complaint
format will increase the ease in comparing new and existing guidelines with
Forum work product. The group will look at the 3647 conversion work already
completed and decide whether the CAB Forum should continue the project.

 

Scope: The CP Review Working Group will (i) consider existing and proposed
standards, (ii) create a list of potential improvements based on the
considered standards that improve the existing CAB Forum work product, (iii)
evaluate the transition to a 3647 format based on the amount of work.

 

Deliverables: The Working Group will produce topics of discussion and
proposed ballots that improve the CA infrastructure based on existing
standards and documents. The Working Group will also make a recommendation
on whether to finish the 3647 conversion. Of course, all work product
produced by the Working Group is non-binding on the forum until officially
adopted by ballot.  

 

Clearly, a full treatment of the Baseline Requirements was envisioned by the
charter.

 

Fourth and  finally, there should be no surprises about proposed language as
the working group moves forward.   While the language will be improved and
worked on by the Working Group, I have created several GitHub "commits".
These can be examined at
https://github.com/cabforum/documents/commits/PolicyReviewWorkingGroup/docs.
(Section 5.2 draft proposal was previously created as a separate branch here
-- https://github.com/cabforum/documents/tree/PolicyRev%234-BR-Section-5.2.
Also, during our meeting today we discussed that going forward, we'll try to
keep  the public list better informed as we work towards completing our
work.

 

Cheers,

 

Ben Wilson

Working Group Chair

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160616/8255ec80/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160616/8255ec80/attachment.p7s>