[cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016

Jeremy Rowley jeremy.rowley at digicert.com
Wed Oct 26 17:02:57 UTC 2016

It’s important because a draft guideline isn’t non-binding on the CAB Forum membership. The bylaws clearly spell out how a ballot takes place:


(c)  A representative of any Member can call for a proposed ballot to be published for review and comment by the membership. Any proposed ballot needs two endorsements by other Members in order to proceed. The review period then shall take place for at least seven calendar-days before votes are cast. 


(d)  The CA/Browser Forum shall provide seven calendar-days for voting, with the deadline clearly communicated via the members’ electronic mailing list. All voting will take place online via the members’ electronic mailing list. 


(g) A ballot result will be considered valid only when more than half of the number of currently active members has participated. The number of currently active members is the average number of member organizations that have participated in the previous three meetings (both teleconferences and face-to-face meetings).


This tells me the ballot is effective when passed. The IPR spells out how to handle IP claims, not when a ballot becomes effective. After the ballot passes, we have a 60 day window to review and submit disclosure statements, which is handling the IP issues, not the effectiveness of the previous ballot. This is the issue I was trying to point out in the face to face. Ballot 169 passed and is required by the membership under the bylaws but has not finished the IP review. Although it’s still technically a “draft guideline” until the IPR finishes, there’s nothing in the bylaws or IPR (that I’m aware of) that says a draft ballot isn’t a binding requirement on the membership if that draft has been voted on using the process set up in the bylaws.



From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Wednesday, October 26, 2016 10:33 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CABFPub <public at cabforum.org>
Subject: RE: [cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016


Reposting to public, somehow lost.


On Oct 26, 2016 9:32 AM, "Ryan Sleevi" <sleevi at google.com <mailto:sleevi at google.com> > wrote:

On Oct 26, 2016 9:06 AM, "Jeremy Rowley" <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> > wrote:
> It’s called a “CAB Forum Draft Guideline” and would follow the procedure already established by the existing blaws and IPR. Following adoption, the chair would initiate a review period.

Which for a draft is 60 days, which gets back to the same problem, does it not?

If it's a draft, then what is the point or purpose of the Ballot, versus say a straw poll. The draft would have to be adopted per our bylaws and IPR, so that's 60 days and a vote.

Is the suggestion that we need to ballot changes to Drafts? Is that required by the  bylaws? My understanding was that the first ballot does not trigger until adopting the draft. So if we had a ballot, the result of the ballot is not a binding document, just a sense of whether the actual adoption would succeed.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161026/74e23a42/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161026/74e23a42/attachment-0001.p7s>

More information about the Public mailing list