Wayne,
Can you give an example of what embedding would look like?
Thanks,
Ben
________________________________
From: Wayne Thayer<mailto:wtha...@godaddy.com>
Sent: 8/1/2017 3:58 PM
To: Ben Wilson<mailto:ben.wil...@digicert.com>; CA/Browser Forum Public
Discussion List<mailto:public@cabforum.org>; Gervase
Markham<mailto:g...@mozilla.org>; Kirk
Hall<mailto:kirk.h...@entrustdatacard.com>
Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot 190 - Recording BR Version Number
The original concern I raised was with the ballot 190 requirement that CAs
begin to log the BR version number associated with the validation method used
on each request. My concerns are:
1. The BR version doesn’t clearly indicate when a validation method has
changed. As has been stated, the BR version number will surely increment for
many reasons unrelated to validation methods. BR version 1.8.3 is likely to
have the same meaning as version 2.1.6 in terms of validation methods.
2. CAs will review changes to the validation methods and come to different
conclusions as to what changes require the BR version number to be incremented
in their logs. Is a wording change material, even though I’m not updating the
code? The ballot author should decide this.
3. CAs generally need to implement changes to methods prior to a BR version
number even being assigned. I closely review ballots, but I don’t track BR
version numbers.
This led me to propose a version number embedded in section 3.2.2.4 of the BRs
that covers either all validation methods or one for each method – it doesn’t
matter to me. This approach:
1. Provides clear guidance that the CA must update the version number they’re
logging as part of implementing a particular change
2. 2. Allows CAs to make changes based on approved ballots rather than being
dependent on BR version numbers
3. Doesn’t require a separate section of the BRs to be updated and kept in synch
4. Can easily be added to ballot 190 while we’re waiting for ballot 202
Thanks,
Wayne
On 8/1/17, 9:28 AM, "Public on behalf of Ben Wilson via Public"
<public-boun...@cabforum.org on behalf of public@cabforum.org> wrote:
There are two sides to this - one is with the CAs, where they record what
method was used, and the other is at the CA/Browser Forum level, where
someone
maintains a chart, or whatever, of validation methods in effect, and
historically which ones were effective during which periods.
-----Original Message-----
From: Gervase Markham [mailto:g...@mozilla.org]
Sent: Tuesday, August 1, 2017 10:06 AM
To: Ben Wilson <ben.wil...@digicert.com>; CA/Browser Forum Public Discussion
List <public@cabforum.org>; Kirk Hall <kirk.h...@entrustdatacard.com>
Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot 190 - Recording BR Version
Number
On 01/08/17 17:00, Ben Wilson wrote:
> Are we talking about what the CA records in its database for the
> validation method used, or are we talking about annotating the BRs
> with a record of when a change was made?
I am raising the problem that if there is a list of changes made and it goes
out of sync with reality, then what do I, at Mozilla, do if a CA says
"well, I
didn't realise that change had been made because it wasn't added to the
official list"?
There should be one and exactly one method of knowing when changes are made.
Earlier, although perhaps not in this thread, someone suggested independent
version numbers for each of the methods. That has a similar issue - there
should be one and exactly one method of recording what validation method was
used.
Gerv
_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public
