[cabf_validation] How to Ballot the Profile updates

Ryan Sleevi sleevi at google.com
Wed Apr 20 19:52:46 UTC 2022

On Wed, Apr 20, 2022 at 3:33 PM Doug Beattie via Validation <
validation at cabforum.org> wrote:

> Do we really want to permit an older version of the BRs to be considered
> valid and auditable when there are newer versions?   That goes against “CAs
> must comply with the latest version of the BRs”.  I’d much prefer a single
> stream of updates where CAs are audited against the latest one only as we
> have done historically.

+1 to this. This was very much the concern I was trying to capture in our
previous discussions, about making sure there's a smooth transition. This
is also why the current draft shows how we can accomplish this for
future-dated requirements, so that things can be seamless.

There had been discussion, but never any concrete proposal, for a "mix and
match" solution, but no one could show how that worked.

> Could we consider placing the new section 7 in a new appendix, Appendix C,
> and keeping the current section 7?   We could state that this becomes
> effective on <date> and CAs are encouraged to start complying with this
> sooner.  CAs may be compliant with section 7 and/or Appendix C during this
> time.  O the effective date we have a new ballot that moves Appendix C into
> Section 7.

I'm not sure I understand this. Is this proposing two different profiles
within the BRs?

Is the suggestion here that the profiles work would need a forward dated
requirement? Are there specifics you could share about that? Every time
we've discussed this in the past, it's been difficult to get specifics
about the elements of concern.

> Another alternative is to highlight each and every “material” change with
> specific effective dates - ugly

The conversation for nearly a year has been asking whether folks believe
there are 'material' changes that have impact. Where there are changes,
they are either annotated with effective dates (the same as we do for the
BRs, today) or they are seen as "low risk" and can be effective immediately
(e.g. offline ceremonies).

I can understand in the abstract, but we've already punted so much to V2
precisely to defer this question, but it sounds like you're concerned that
there's still a significant amount?

> If this is worth discussing (again), then could we add this to the agenda
> for this week’s call?

I do think this would be hugely valuable and a productive use of time.

I think, as with the past discussions (and if it's useful, happy to dig up
the references), that folks highlight anything that they believe is a
problematic change and explain why. We've had some discussions about
*existing* requirements (e.g. from the intersection of the BRs and RFC
5280, or requirements from RFC 5280) being unclear. I think that if we can,
similarly, set aside the debate about SHOULD/MAY and focus on MUST/MUST
NOT, it could be really productive.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20220420/b17f4488/attachment.html>

More information about the Validation mailing list