Closed dzacharo closed 1 year ago
I'm not sure what you mean by suggesting editorial - either way, this will require a ballot.
All these require a ballot but I was under the impression that those flagged as "editorial" are uncontroversial typos, wrong references, etc that are collected to be fixed in "clean up" ballots.
So, fixing this to 140-2 would be considered an uncontroversial "typo-fix" in a subsequent clean up ballot, but introducing 140-3 would need a ballot just for that because it would introduce a new certification scheme.
Hopefully this makes it more clear.
We’ve focused ballots on what logically fits. So let’s try to work through the substance here. The reason I questioned the ballot remark is because I think it makes your position harder to understand: do you think we should accept 140-3 or not? It’s unclear if the answer is “yes, but I don’t want to do a separate ballot, so no” or “no” 😅
Do we plan to have a clean up ballot soon? If the answer is yes, we add the 140-2 in the fixes.
Do you think it is a good idea to do an independent ballot to introduce 140-3? Then we add both 140-2 and 140-3 in the proposed Independent ballot. I think it requires more discussion with WG members to introduce 140-3, but we currently have other ballots lined up. It wouldn't hurt to start the discussion for 140-3.
"Spring" is here so we might do a clean up ballot soon 🙂
Do we plan to have a clean up ballot soon? If the answer is yes, we add the 140-2 in the fixes.
Yes. I've been holding off until SC41 is finalized, but as you can see from the issues list, I've been keeping track of a long list of issues to fix that are within the realm of "cleanups and clarifications" (e.g. all the .onion
bits, .arpa
, etc)
Do you think it is a good idea to do an independent ballot to introduce 140-3?
I don't think we need to, no. Given that 140-3 has been effective since 2019 (and 140-2 is still valid), I think it's fine to allow the either/or of both (especially since 140-3 allows more CAVP automation) in a cleanup, because it's being more permissive (and "just" updating a reference).
This was initially raised in the Code Signing Working Group and @CBonnell indicated this inconsistency in the BRs.
The current language says "FIPS 140 level 3" which should probably be "FIPS 140-2 level 3".
If we only update to "FIPS 140-2", it should probably be considered an editorial change. If we want to include the new "FIPS 140-3" certifications that are coming up, we probably need a clean ballot to incorporate.