[cabfpub] Ballot 190

Wayne Thayer wthayer at godaddy.com
Fri Apr 28 03:53:18 UTC 2017 

Jeremy,

>>If there are still concerns, should we drop the reuse language altogether?

I would support this ballot regardless of what explicit reuse language is included, but I would like to see some explicit statement on reuse included, even if the statement is “you can’t reuse data/documents from non-compliant methods”.

Given the desire to remove “any other method” from the BRs ASAP, I think either of the compromises you proposed is preferable to a delayed effective date for the entire ballot, which is what I suspect would be required to gain consensus if the reuse language was dropped.

Thanks,

Wayne
From: Public <public-bounces at cabforum.org> on behalf of Jeremy Rowley via Public <public at cabforum.org>
Reply-To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Date: Thursday, April 27, 2017 at 3:35 PM
To: Ryan Sleevi <sleevi at google.com>, CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Jeremy Rowley <jeremy.rowley at digicert.com>
Subject: Re: [cabfpub] Ballot 190

Sorry – that was pretty confusing.  I revised the questions in way that I think answers most of your question:

  1.  If we include the validation WG proposed language in Section 3.2.2.4, does that adequately address the concerns with the previous version of ballot 190?
  2.  If there are still concerns, should we drop the reuse language altogether? Note that this will require revalidation of all information prior to issuance of new certificates if the original validation was not in accordance with one of these ten sections.
  3.  If we add the language to Section 3.2.2.4, would you vote against the ballot because of the document reuse?
  4.  If the reuse language proposed was dropped altogether and re-validation became required, would you vote against the ballot?
  5.  If you’d vote against the ballot, is there some middle ground that we can reach? For example, could we say that all previous validation information not complaint with the 10 methods must expire 13 months from the date of the ballot? Alternatively, everything under section 7 expires immediately while documents affected by a modification to 1-6 will remain valid for 825 days? Other proposals.
Basically, we’re at an impasse on the ballot, and I’m not sure which way the vote would go.

A couple of comments:

“I think the general language proposal is a bit awkward - I would rather see it pegged to an explicit minimum version (for example, BRs 1.4.1) and explicitly forbid using a previous "any other method" validation. Is that problematic?”

This seems reasonable to me, but I’ll let others chime in.

“I think if we're still unable to agree on a timeline such as that - requiring revalidation consistent with the current-3.2.2.4 for anything that was validated under a previous-3.2.2.4 that is no longer permitted - my only other suggestion would be to require an explicit expression within the certificate that it complies with the current version of 3.2.2.4 at the time of issuance. This would help give Relying Parties the necessary assurances that the CA is committed to security.”

This seems reasonable to me as well.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170428/a1522614/attachment-0003.html>

More information about the Public mailing list