Tim replied..
>
> I'd said..
>>
>> a detail-level comment:
>>
>> > Also, the reliability of the Web PKI depends critically on the practices
of
>> > its certificate issuers. However, the topic of practices is outside the
>> > scope of the IETF. Therefore, this will be left to other competent
bodies.
>>
>> "practices of ... certificate issuers" needs to be clearly defined in order
>> to disambiguate between, e.g., verification of certificate issuance requester
>> and CA infrastructure operational practices.
>>
>> My understanding is that this scope declaration is intended to exclude the
>> former and not necessarily the latter, but this isn't clear.
>
> I was thinking that "both" aspects of practices should be outside the scope
> of an IETF activity.
Maybe so, at least for now.
Although, the term "practices" in the draft charter should be defined, and refs
to the relevant (technical) CA/Browser Forum (CABF) documents included, which
are it seems..
https://www.cabforum.org/Network_Security_Controls_V1.pdf
https://www.cabforum.org/Baseline_Requirements_V1.pdf
https://www.cabforum.org/Guidelines_v1_4.pdf
https://www.cabforum.org/Guidelines_for_the_processing_of_EV_certificates%20v1_0.pdf
(note that some IETF working group charters do contain refs to various docs for
context-setting purposes)
> The CA/Browser Forum is working on these with the
> co-operation of the root-program operators and the relevant audit experts
> (ETSI and WebTrust). I think that best value is obtained from the IETF
> community by focusing on technical protocols. No?
Just to note, the IETF Ops Area has explicitly specified infrastructural
operational "practices" in at least two cases, see for example..
DNSSEC Operational Practices
https://datatracker.ietf.org/doc/rfc4641/
Current Operational Security Practices in Internet Service Provider Environments
https://datatracker.ietf.org/doc/rfc4778/
HTH,
=JeffH
_______________________________________________
wpkops mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/wpkops
