[cabf_validation] Pre-Ballot Registration Agencies / Incorporating Agencies

Ryan Sleevi sleevi at google.com
Thu May 14 10:00:12 MST 2020


Based on the feedback from the last call, I've tried to update
https://github.com/sleevi/cabforum-docs/pull/11
<https://github.com/sleevi/cabforum-docs/pull/11/files> with everything
that was raised, and I think that it's ready to look for co-endorsers for a
formal ballot. If there are concerns, happy to hear them on list or on
GitHub and see if we can't address them.

The specific changes that I incorporated can be viewed at
https://github.com/sleevi/cabforum-docs/pull/11/commits/2080fdfeb2a3c6af1576247e7ff4ae02344513e0


* Section 8.2 is more related to Certificate Policy OIDs. While disclosure
requirements within the CP/CPS are captured here, instead move the
disclosure of information sources closer to the verification process, since
disclosure is required prior to use within verification

* There was concern that '24x7 availability' is at odds with a light touch
approach that would permit disclosure via source control repositories (e.g.
GitHub, GitLab) or online document services (e.g. Microsoft Office 365,
Google G Suite). "readily accessible" is sufficient to indicate it must
have more uptime than downtime

* Shift from 1 September to 1 October. This ensures "at least" three
months, factoring in discussion, voting, and IP review, while avoiding any
holiday freezes.

* Clarify that CAs only need to declare the sources they use, rather than
any source they evaluate. CAs still need to disclose prior to use, and thus
benefit from disclosing more early, but this does not require disclosure of
every source evaluated, including those that are never used.

* Address default-deny concerns by making it clear that it's a minimum, not
a maximum, for disclosure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20200514/292262fd/attachment.html>


More information about the Validation mailing list