[cabfpub] [EXTERNAL]Re: Ballot 190 - Recording BR Version Number

Ben Wilson ben.wilson at digicert.com
Fri Jul 21 08:19:37 MST 2017


Maybe someone could provide an example of how the BR version number would appear at the  end of each validation method?  For example, would it look like this?
[BR 1.5.0]  - with the implication that the method was allowed as of BR v. 1.5.0 going forward until the current version of the BRs?  If the method were changed, would someone need to keep track that the language was XYZ from version 1.4.6 through version 1.5.4?
Thanks,
Ben

-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi via Public
Sent: Friday, July 21, 2017 9:08 AM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot 190 - Recording BR Version Number

Hi Kirk,

As we saw from the discussions of Ballot 190, the inclusion of additional information "for clarity's sake" can have the deleterious side-effect of changing both the meaning and interpretation. The clarifications that had previously been proposed had notable issues they introduced.

So I don't think we can say there is no harm - and, in general, it means even more work to maintain these documents - so I'm hoping we can find a situation in which there is a single, well-understood path, rather than attempting to restate it several times. Given that these represent technical standards documents, and understanding that it takes a degree of professional expertise to understand and interpret them (much like any other standards document), it doesn't seem entirely unfair to suggest that there may be elements that are difficult for the lay-person, provided that they're unambiguous for the practitioners.

On Fri, Jul 21, 2017 at 11:02 AM, Kirk Hall via Public <public at cabforum.org> wrote:
> Meant for public list -- see my response below.
>
> -----Original Message-----
> From: Ryan Sleevi [mailto:sleevi at google.com]
> Sent: Thursday, July 20, 2017 6:09 PM
> To: Kirk Hall <Kirk.Hall at entrustdatacard.com>
> Subject: Re: [EXTERNAL]Re: [cabfpub] Ballot 190 - Recording BR Version 
> Number
>
> Hi Kirk,
>
> Did you mean to omit the list?
>
> On Thu, Jul 20, 2017 at 9:08 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com> wrote:
>> The two responses (Gerv's and mine) are not in conflict, and there is no harm in including the extra information in the BRs.  I'm a big believer in helping people avoid mistakes when it's easy to do.
>>
>> -----Original Message-----
>> From: Ryan Sleevi [mailto:sleevi at google.com]
>> Sent: Thursday, July 20, 2017 6:02 PM
>> To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum 
>> Public Discussion List <public at cabforum.org>
>> Cc: Wayne Thayer <wthayer at godaddy.com>
>> Subject: [EXTERNAL]Re: [cabfpub] Ballot 190 - Recording BR Version 
>> Number
>>
>> Kirk,
>>
>> Given that the Forum already publishes its Ballots - and keeps track of changes within the documents - and given CAs are already required to annually review their CP/CPS (in addition to following the current published version), do you believe Gerv's response is not a perfectly reasonable and easy to accomplish approach?
>>
>> It would be useful to understand, given all the existing tools and practices, what's missing.
>>
>> On Thu, Jul 20, 2017 at 8:19 PM, Kirk Hall via Public <public at cabforum.org> wrote:
>>> Wayne, I think your idea has merit in this special situation – and 
>>> it’s something we can probably accomplish without a ballot.
>>>
>>>
>>>
>>> Statute books commonly have notations at the end of each statute 
>>> showing all the times the statute was amended – often it will show 
>>> year and public law number (in “reverse” order with the most recent
>>> first) so users can go back and find each law that affected a current statute.
>>>
>>>
>>>
>>> When we compile the BRs after Ballot 190 passes, we can put the BR 
>>> version number where each of the 10 methods was LAST amended by the 
>>> Forum.  That way, a CA who looks at the most recent BR compilation 
>>> will know which methods have been recently amended, and which have 
>>> not.  No one has to use this information, but it would be easy to 
>>> include in a footnote at the end of BR 3.2.2.4, and update when there is any further change.
>>>
>>>
>>>
>>> Ben and I will discuss after Ballot 190 has passed.
>>>
>>>
>>>
>>> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Wayne 
>>> Thayer via Public
>>> Sent: Tuesday, July 18, 2017 6:32 PM
>>> To: public at cabforum.org
>>> Subject: [EXTERNAL][cabfpub] Ballot 190 - Recording BR Version 
>>> Number
>>>
>>>
>>>
>>> Ballot 190 Includes the following statement in 3.2.2.4:
>>>
>>>
>>>
>>> The CA SHALL maintain a record of which domain validation method, 
>>> including relevant BR version number, they used to validate every domain.
>>>
>>>
>>>
>>> While I understand the logic behind this, I’m concerned about the 
>>> “relevant BR version number”. This could be interpreted in a number of imprecise ways.
>>> For instance, does ballot 202 require CAs to update their system to 
>>> record compliance with changes to the definitions in some of the methods?
>>>
>>>
>>>
>>> I suggest that we add version numbers to each of the 10 validation 
>>> methods listed in the BRs and require CAs to record compliance with 
>>> a specific version of the validation method for each domain they 
>>> validate. This allows ballot authors to explicitly increment the 
>>> version number of a given method when a material change is made, and 
>>> provides clear guidance to CAs on what version number to record.
>>>
>>>
>>>
>>> Thanks,
>>>
>>>
>>>
>>> Wayne
>>>
>>>
>>> _______________________________________________
>>> Public mailing list
>>> Public at cabforum.org
>>> https://cabforum.org/mailman/listinfo/public
>>>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4974 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170721/a329bc88/attachment.p7s>


More information about the Public mailing list