Okay. Based on the discussion, I propose we do the following to move things forward:
1. Include an extension in the EE certs indicating compliance with a certain version of the BRs. This addresses Ryan’s concerns of knowing which certs were issued under new methods compared to relying on older documentation. 2. Permit document reuse for 13 months after which all certs must be validated using one of the new methods. This addresses Kirk’s concern of having to revalidate every customer as of the effective date, permitting roughly half to expire while the other half are revalidated. Does this make everyone equally unhappy? Jeremy From: Ryan Sleevi [mailto:[email protected]] Sent: Tuesday, May 2, 2017 12:43 PM To: Jeremy Rowley <[email protected]> Cc: CA/Browser Forum Public Discussion List <[email protected]>; Gervase Markham <[email protected]> Subject: Re: [cabfpub] Ballot 190 Just to be clear: My initial proposal was simply to indicate "All information in this certificate has been validated in accordance with the explicit methods in Version X" That is, even if information is reused, that the information was compatible with version X. If version X+1 or X+3 changes things substantially - but still permits reuse of Version X data - then you'd continue to assert Version X. If Version X+3's validation was still compatible with Version X (perhaps it added a new method, or changed something unrelated), you could assert either X, X+1, X+2, or X+3 and still be in full compliance. Asserting X+3 is, of course, a stronger security assurance, but asserting X is still compliant/compatible :)
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
