Yes, it's almost certainly intentional. The thing is, the high level
document should state the high level requirement, and leave
implementation to the CA.
When we state how the implementation is done in a high level document,
we generally block things we don't understand. If we are subject to
group-think (as we are) we end up stopping innovation and things outside
What is left over is how the requirement is tested. This is typically
left to the audit process. People have (quite rightly) grumbled that
this doesn't work very well (for whatever reason), but the answer is
definately not to tighten the screws on the high level document.
> Yes, it's almost certainly intentional. The thing is, the high level document should state the high level requirement, and leave implementation to the CA.
There are a number of US patents covering aspects of domain validation for SSL certificates. The BR has to tread a fine line between laying out good practice and requiring CAs to follow a process that might intrude on a patented process.
I'm really surprised that there's been no more commentary on this. Are
we to conclude that the CAB Forum is working to protect the interests of
competitive parties jousting in a patent battle?
There appears to be no disclosure requirements, and no licensing
requirements. Does this mean that CAB Forum members (c.f. jurisdiction)
at risk of submarine patents? Are these torpedoe documents?
dev-security-policy mailing list