[cabfpub] Ballot 190 - Recording BR Version Number

Wayne Thayer wthayer at godaddy.com
Thu Jul 20 21:30:21 MST 2017 

given CAs are already required to annually review their CP/CPS
[WT] I find it difficult to believe that it would be considered acceptable for a CA to wait [up to] a year to update the version number of a validation method after a material improvement is made to that method.

do you believe Gerv's response is not a perfectly reasonable and easy to accomplish approach?
[WT] I assume that you mean this approach:
The BRs themselves require that you comply with the latest published
version. So I would expect that, each time a new version is released,
CAs evaluate the changes and plan to update their systems accordingly.
If the changes are material to domain validation, I would expect part of
that update to be changing the recording system to record that you are
now compliant with the new BR version. If they are not material to
domain validation, I would expect that update to be optional - in other
words, recording "1.7.3/3.2.2.4.15" may be exactly the same as recording
"1.7.4/3.2.2.4.15".

[WT]Gerv’s suggestion is a reasonable interpretation, but another reasonable interpretation is that CAs must increment the version number of the BRs that they log every single time the BRs are updated, regardless of what has changed. That interpretation is arguably supported by the requirement that CA’s commit comply with the latest version of the BRs in the CPS. 

It would be useful to understand, given all the existing tools and practices, what's missing.
[WT] Updating the version number of each validation method every time the BRs change for any reason is burdensome and provides no value. What’s missing for me is a clear signaling mechanism that a material change has been made to a validation method. My original email referenced ballot 202 as a concrete example.

On 7/20/17, 6:02 PM, "Ryan Sleevi" <sleevi at google.com> wrote:

    Kirk,
    
    Given that the Forum already publishes its Ballots - and keeps track
    of changes within the documents - and given CAs are already required
    to annually review their CP/CPS (in addition to following the current
    published version), do you believe Gerv's response is not a perfectly
    reasonable and easy to accomplish approach?
    
    It would be useful to understand, given all the existing tools and
    practices, what's missing.

More information about the Public mailing list