<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
I agree that there's no rush. And yes, CAs have done everything right if they've implemented the traditional RFC5280 behaviour and weren't asked by Microsoft to do otherwise.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
My primary concern is that I'm super keen for Sectigo's compliance status to stop being reliant on a decade-old private communication from Tom Albertson! In my view, if Microsoft wants CAs to do something that's contrary to RFC5280, then Microsoft really needs
to state this in their public root program policy requirements (either directly by including explicit language, or indirectly by incorporating a CABForum specification that states this). The public requirements are what our auditors are going to look at and
judge us on.<br>
</div>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
<hr tabindex="-1" style="display:inline-block; width:98%">
<b>From:</b> Bruce Morton<br>
<b>Sent:</b> Wednesday, September 22, 2021 20:35<br>
<b>To:</b> Tim Hollebeek; Rob Stradling; cscwg-public@cabforum.org; Corey Bonnell<br>
<b>Subject:</b> RE: CRL Revocation Date Clarification Pre-Ballot
<div><br>
</div>
</div>
<div class="rps_d54">
<div style="word-wrap:break-word" lang="EN-US">
<div class="x_WordSection1">
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
I’m in agreement with the direction. I think we need to confirm the SHALL(s) and/or the SHOULD(s) and allow some time for the CAs to get implemented.</p>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
</p>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
Thanks, Bruce.</p>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
</p>
<div>
<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<b>From:</b> Tim Hollebeek <tim.hollebeek@digicert.com> <br>
<b>Sent:</b> Wednesday, September 22, 2021 3:33 PM<br>
<b>To:</b> Rob Stradling <rob@sectigo.com>; Bruce Morton <Bruce.Morton@entrust.com>; cscwg-public@cabforum.org; Corey Bonnell <Corey.Bonnell@digicert.com><br>
<b>Subject:</b> [EXTERNAL] RE: CRL Revocation Date Clarification Pre-Ballot</p>
</div>
</div>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
</p>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
WARNING: This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.</p>
<div class="x_MsoNormal" style="margin:0in; font-size:11pt; font-family:"Calibri",sans-serif; text-align:center" align="center">
<hr width="100%" size="2" align="center">
</div>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
Yeah, if there isn’t a good reason to allow what I called (2), I’m also fine with banning invalidityDate, with a reasonable implementation timeline for CAs that have historically had a different interpretation, since at least one seems to exist. I don’t really
see any reason to force people to rush this, since it’s really just a minor ecosystem cleanup. And I do have a lot of sympathy for people who implemented traditional RFC 5280 behavior instead of the Microsoft-specific behavior.</p>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
</p>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
-Tim</p>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
</p>
<div style="border:none; border-left:solid blue 1.5pt; padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<b>From:</b> Rob Stradling <<a href="mailto:rob@sectigo.com" target="_blank" rel="noopener noreferrer">rob@sectigo.com</a>>
<br>
<b>Sent:</b> Wednesday, September 22, 2021 12:47 PM<br>
<b>To:</b> Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" target="_blank" rel="noopener noreferrer">tim.hollebeek@digicert.com</a>>; Bruce Morton <<a href="mailto:bruce.morton@entrust.com" target="_blank" rel="noopener noreferrer">bruce.morton@entrust.com</a>>;
<a href="mailto:cscwg-public@cabforum.org" target="_blank" rel="noopener noreferrer">
cscwg-public@cabforum.org</a>; Corey Bonnell <<a href="mailto:Corey.Bonnell@digicert.com" target="_blank" rel="noopener noreferrer">Corey.Bonnell@digicert.com</a>><br>
<b>Subject:</b> Re: CRL Revocation Date Clarification Pre-Ballot</p>
</div>
</div>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
</p>
<div>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black">> Once you make an allowance for the revocationDate to be the date of invalidity, there is no longer a reason for the two dates to be different, as they are both the date of invalidity. It appears reasonable to me
to require that if they both appear, they agree.</span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black">+1</span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black">> This won’t necessarily do what you want for Microsoft, but may make sense in other ecosystems.</span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black">Which other ecosystems do we expect to consume the Code Signing BRs? Do any of these ecosystems support the Invalidity Date extension? (I don't think it makes sense to make guesses about what may make sense
</span><span style="font-size:12.0pt; font-family:"Segoe UI Emoji",sans-serif; color:black">😉</span><span style="font-size:12.0pt; color:black"> ).</span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black">> I don’t think there’s a good reason to ban RFC 5280-compliant behavior here.</span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black">As I mentioned in the previous list thread on this topic: Sectigo is already banned (we believe) from using the RFC5280-compliant behaviour in Microsoft's ecosystem, because Tom Albertson sent us a private email on
behalf of the Microsoft Root Program asking us to always put the invalidity date in the revocationDate field, and because Ian said recently "we expect CAs to continue to use the RevocationDate field as they do today".</span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black">Unless there are other code signing ecosystems that support the Invalidity Date extension, I propose that we require the revocationDate field to hold the invalidity date and say "The Invalidate Date extension MUST
NOT be present", since there's no point bloating CRLs with two copies of each invalidity date and because this approach would sidestep the question of what to do if the revocationDate field and the Invalidity Date extension differ.</span></p>
</div>
<div>
<div>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black"> </span></p>
<div class="x_MsoNormal" style="margin:0in; font-size:11pt; font-family:"Calibri",sans-serif; text-align:center" align="center">
<span style="font-size:12.0pt; color:black">
<hr width="98%" size="2" align="center">
</span></div>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<b><span style="font-size:12.0pt; color:black">From:</span></b><span style="font-size:12.0pt; color:black"> Tim Hollebeek<br>
<b>Sent:</b> Wednesday, September 22, 2021 17:27<br>
<b>To:</b> Bruce Morton; Rob Stradling; <a href="mailto:cscwg-public@cabforum.org" target="_blank" rel="noopener noreferrer">
cscwg-public@cabforum.org</a>; Corey Bonnell<br>
<b>Subject:</b> RE: CRL Revocation Date Clarification Pre-Ballot </span></p>
<div>
<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
</div>
<div>
<div>
<div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
My understanding is that the RFC 5280 language about them being different is because the revocationDate is the date of revocation and the invalidityDate is the (probably retroactive) date of invalidity. These can be and often are different.<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
Our intent with the Code Signing BRs is to align the CSBRs with existing Microsoft practice and implementation, where the revocationDate is intended to be the (probably retroactive) date of invalidity, and the invalidity date is ignored.<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
Once you make an allowance for the revocationDate to be the date of invalidity, there is no longer a reason for the two dates to be different, as they are both the date of invalidity. It appears reasonable to me to require that if they both appear, they agree.<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
What I think I’m hearing you say is that there should be an allowance for RFC 5280 compliant behavior as well, where the invalidityDate is present, but the revocationDate is the date of revocation. This won’t necessarily do what you want for Microsoft, but
may make sense in other ecosystems. Is that what you are saying?<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
If so, I do think it might make sense to say and allow that if the revocationDate and invalidityDate are different, then the revocationDate must be the actual date of revocation. I don’t think there’s a good reason to ban RFC 5280-compliant behavior here.<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
We’d end up with two allowed behaviors:<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<ol style="margin-bottom:0in; margin-top:0in" type="1">
<li class="x_xmsolistparagraph" style="margin-right:0in; margin-left:0in; font-size:11pt; font-family:"Calibri",sans-serif; margin-top:0in; margin-bottom:0in">
if the revocationDate is the invalidity date (for compatibility with the Microsoft implementation) then the invalidityDate, if it appears, must agree, or<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></li><li class="x_xmsolistparagraph" style="margin-right:0in; margin-left:0in; font-size:11pt; font-family:"Calibri",sans-serif; margin-top:0in; margin-bottom:0in">
if the revocationDate is the actual revocation date (for strict 5280 compliance), then the invalidityDate MAY be present and MAY be different.<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></li></ol>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
This does make it ambiguous if just the revocationDate appears, whether it is the invalidity date or revocation date. This could be fixed by requiring the invalidityDate to be present for those who deviate from Microsoft expectations and adopt option (2).
I.e. if the only date that appears is revocationDate, it must be interpreted as an invalidity date.<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
-Tim<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<div style="border:none; border-left:solid blue 1.5pt; padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<b>From:</b> Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com" target="_blank" rel="noopener noreferrer">Bruce.Morton@entrust.com</a>>
<br>
<b>Sent:</b> Wednesday, September 22, 2021 11:51 AM<br>
<b>To:</b> Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" target="_blank" rel="noopener noreferrer">tim.hollebeek@digicert.com</a>>; Rob Stradling <<a href="mailto:rob@sectigo.com" target="_blank" rel="noopener noreferrer">rob@sectigo.com</a>>;
<a href="mailto:cscwg-public@cabforum.org" target="_blank" rel="noopener noreferrer">
cscwg-public@cabforum.org</a>; Corey Bonnell <<a href="mailto:Corey.Bonnell@digicert.com" target="_blank" rel="noopener noreferrer">Corey.Bonnell@digicert.com</a>><br>
<b>Subject:</b> RE: CRL Revocation Date Clarification Pre-Ballot<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
</div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"> </span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
The issue with invaldityDate is that if you are currently using both invalidityDate and revocationDate per RFC 5280, we are saying that we would require that invalidityDate be used incorrectly. Why?
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
I think this ballot should be about providing an RFC exception for revocationDate.<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
Bruce.<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<div>
<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<b>From:</b> Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" target="_blank" rel="noopener noreferrer">tim.hollebeek@digicert.com</a>>
<br>
<b>Sent:</b> Wednesday, September 22, 2021 11:39 AM<br>
<b>To:</b> Rob Stradling <<a href="mailto:rob@sectigo.com" target="_blank" rel="noopener noreferrer">rob@sectigo.com</a>>;
<a href="mailto:cscwg-public@cabforum.org" target="_blank" rel="noopener noreferrer">
cscwg-public@cabforum.org</a>; Corey Bonnell <<a href="mailto:Corey.Bonnell@digicert.com" target="_blank" rel="noopener noreferrer">Corey.Bonnell@digicert.com</a>>; Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com" target="_blank" rel="noopener noreferrer">Bruce.Morton@entrust.com</a>><br>
<b>Subject:</b> [EXTERNAL] RE: CRL Revocation Date Clarification Pre-Ballot<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
</div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"> </span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif">WARNING: This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.</span></p>
<div class="x_MsoNormal" style="margin:0in; font-size:11pt; font-family:"Calibri",sans-serif; text-align:center" align="center">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif">
<hr width="100%" size="1" align="center">
</span></div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
I prefer the former, since it doesn’t appear that any Certificate Consumer has any plans to consume the Invalidity Date, even in the future. And “substantial portion” is just going to cause arguments … it’s better to remain silent the issue until there’s a
concrete consumer with actual plans to implement.<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
Bruce, what’s the concern with having the requirement that the invalidity date, if present, must be the same date? Certificates with two different dates are going to confuse a lot of people, and it seems completely unnecessary to allow them, unless I’m missing
a use case, which I very well could be.<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
-Tim<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<div style="border:none; border-left:solid blue 1.5pt; padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<b>From:</b> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org" target="_blank" rel="noopener noreferrer">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Rob Stradling via Cscwg-public<br>
<b>Sent:</b> Tuesday, September 21, 2021 11:49 AM<br>
<b>To:</b> Corey Bonnell <<a href="mailto:Corey.Bonnell@digicert.com" target="_blank" rel="noopener noreferrer">Corey.Bonnell@digicert.com</a>>;
<a href="mailto:cscwg-public@cabforum.org" target="_blank" rel="noopener noreferrer">
cscwg-public@cabforum.org</a>; Bruce Morton <<a href="mailto:bruce.morton@entrust.com" target="_blank" rel="noopener noreferrer">bruce.morton@entrust.com</a>><br>
<b>Subject:</b> Re: [Cscwg-public] CRL Revocation Date Clarification Pre-Ballot<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
</div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"> </span></p>
<div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black; background:white">I think it's valuable for CABForum documents to explicitly call out deviations from RFC5280, but I'd take a different approach to Bruce's suggestion...</span><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black"> </span><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black">In the Server Certificate BRs, "Application of RFC 5280" describes a scenario (Precertificates) where RFC5280 does
<u>not</u> apply at all; whereas what I think we're trying to do here is specify that RFC5280
<u>does</u> apply (to CRLs) except for one required deviation (i.e., "revocationDate" MUST match the RFC5280 semantics for Invalidity Date, rather than necessarily be "The date on which the revocation occurred"). Deviation is not "Application", in my view.</span><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black"> </span><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black">I think the most similar concept in the Server Certificate BRs is the language about non-critical Name Constraints:</span><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
<div>
<div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<i><span style="font-size:12.0pt; color:black">"Non‐critical Name Constraints are an exception to RFC 5280 (4.2.1.10), however, they MAY be used until</span></i><span style="font-size:12.0pt; color:black">
</span><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<i><span style="font-size:12.0pt; color:black">the Name Constraints extension is supported by Application Software Suppliers whose software is used by</span></i><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<i><span style="font-size:12.0pt; color:black">a substantial portion of Relying Parties worldwide."</span></i><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black">The effect of this text is that RFC5280
<u>does</u> apply (to the Name Constraints extension) except for one required deviation (i.e., we permit the extension to be non-critical, at least for now).</span><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black"> </span><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black">How about adding this language to the ballot...</span><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<i><span style="font-size:12.0pt; color:black">'Permitting the "revocationDate" to be set earlier than the date on which the revocation occurred is an exception to RFC 5280 (5.1.2.6)."</span></i><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black"> </span><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black">Or, if we're hoping that this RFC5280 deviation will be temporary, how about...</span><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<i><span style="font-size:12.0pt; color:black; background:white">'Permitting the "revocationDate" to be set earlier than the date on which the revocation occurred is an exception to RFC 5280 (5.1.2.6); however, this MAY be done until the Invalidity Date extension
is supported by Application Software Suppliers whose software is used by a substantial portion of Relying Parties worldwide."</span></i><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black"> </span><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black; background:white">WDYT?</span><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
<div>
<div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; color:black"> </span><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
<div class="x_MsoNormal" style="margin:0in; font-size:11pt; font-family:"Calibri",sans-serif; text-align:center" align="center">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif">
<hr width="98%" size="1" align="center">
</span></div>
<div id="x_x_divRplyFwdMsg">
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<b><span style="color:black">From:</span></b><span style="color:black"> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org" target="_blank" rel="noopener noreferrer">cscwg-public-bounces@cabforum.org</a>> on behalf of Bruce Morton via Cscwg-public
<<a href="mailto:cscwg-public@cabforum.org" target="_blank" rel="noopener noreferrer">cscwg-public@cabforum.org</a>><br>
<b>Sent:</b> 21 September 2021 16:04<br>
<b>To:</b> Corey Bonnell <<a href="mailto:Corey.Bonnell@digicert.com" target="_blank" rel="noopener noreferrer">Corey.Bonnell@digicert.com</a>>;
<a href="mailto:cscwg-public@cabforum.org" target="_blank" rel="noopener noreferrer">
cscwg-public@cabforum.org</a> <<a href="mailto:cscwg-public@cabforum.org" target="_blank" rel="noopener noreferrer">cscwg-public@cabforum.org</a>><br>
<b>Subject:</b> Re: [Cscwg-public] CRL Revocation Date Clarification Pre-Ballot</span><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif">
</span></p>
<div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"> </span></p>
</div>
</div>
<div>
<div style="border:solid black 1.0pt; padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif; line-height:12.0pt; background:#FAFA03">
<span style="font-size:10.0pt; color:black">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"> </span></p>
<div>
<div>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
Hi Corey,<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
I was thinking that we would create a section similar to the BRs called “Application of RFC 5280.” We could have text that says, “For the purposes of clarification, the revocationDate MAY be set the same as the invalidityDate, which would mean that the revocationDate
may precede the date of issue of earlier CRLs.”<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
I don’t think that we need to address or change the requirements for invalidityDate as this date is not used by Windows; however, it may be used by other applications per RFC 5280.<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
Bruce.<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<div>
<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<b>From:</b> Corey Bonnell <<a href="mailto:Corey.Bonnell@digicert.com" target="_blank" rel="noopener noreferrer">Corey.Bonnell@digicert.com</a>>
<br>
<b>Sent:</b> Tuesday, September 21, 2021 8:45 AM<br>
<b>To:</b> Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com" target="_blank" rel="noopener noreferrer">Bruce.Morton@entrust.com</a>>;
<a href="mailto:cscwg-public@cabforum.org" target="_blank" rel="noopener noreferrer">
cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] RE: CRL Revocation Date Clarification Pre-Ballot<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
</div>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
WARNING: This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<div class="x_MsoNormal" style="margin:0in; font-size:11pt; font-family:"Calibri",sans-serif; text-align:center" align="center">
<hr width="100%" size="1" align="center">
</div>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
Hi Bruce,<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
I interpreted Ian’s message from last week [1] as guidance that all CAs should be using the revocationDate to denote when the Code Signing Certificate is first invalid. Since Windows (Authenticode) does not consume the invalidityDate extension value when making
trust decisions, there is a negative security impact when CAs set the invalidityDate and revocationDate in the manner described in RFC 5280. This ballot codifies the guidance Ian shared so that the revocationDate is set uniformly across all CAs.<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
Thanks,<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
Corey<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
[1] <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fpipermail%2Fcscwg-public%2F2021-September%2F000532.html&data=04%7C01%7Crob%40sectigo.com%7C0d12b84938cc4d7ed05208d97d1118a7%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637678334657724301%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=0y8EPWbaEx8JjusdPkaCY%2F6AZTmk3mzEJxeQuPv5yhk%3D&reserved=0" target="_blank" rel="noopener noreferrer">
https://lists.cabforum.org/pipermail/cscwg-public/2021-September/000532.html</a><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<div>
<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<b>From:</b> Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com" target="_blank" rel="noopener noreferrer">Bruce.Morton@entrust.com</a>>
<br>
<b>Sent:</b> Monday, September 20, 2021 2:31 PM<br>
<b>To:</b> Corey Bonnell <<a href="mailto:Corey.Bonnell@digicert.com" target="_blank" rel="noopener noreferrer">Corey.Bonnell@digicert.com</a>>;
<a href="mailto:cscwg-public@cabforum.org" target="_blank" rel="noopener noreferrer">
cscwg-public@cabforum.org</a><br>
<b>Subject:</b> RE: CRL Revocation Date Clarification Pre-Ballot<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
</div>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
Hi Corey,<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
Is there a reason that we cannot allow CAs to continue to use Revocation date and Invalidity date as per RFC 5280?<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
My assumption is that we were going to allow the Revocation date to be a date earlier than the time the certificate was revoked. I am not seeing how this change would impact the Invalidity date.<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
Bruce.<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<div>
<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<b>From:</b> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org" target="_blank" rel="noopener noreferrer">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Corey Bonnell via Cscwg-public<br>
<b>Sent:</b> Monday, September 20, 2021 12:52 PM<br>
<b>To:</b> <a href="mailto:cscwg-public@cabforum.org" target="_blank" rel="noopener noreferrer">
cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] [Cscwg-public] CRL Revocation Date Clarification Pre-Ballot<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
</div>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
WARNING: This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<div class="x_MsoNormal" style="margin:0in; font-size:11pt; font-family:"Calibri",sans-serif; text-align:center" align="center">
<hr width="100%" size="1" align="center">
</div>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
Hello,<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
As discussed last week, it would be valuable to ensure that there is clarity regarding how revocation/invalidity dates are encoded in CRLs so that relying party software can make the correct trust decisions regarding compromised code. Attached is a small change
to 13.2.1 to reflect that the revocationDate CRL entry field shall be used to denote when a certificate is invalid. The proposed language allows for the Invalidity Date CRL entry extension to continue to appear, but the time encoded in it must be the same
as the revocationDate for the entry. I don’t believe this causes issues with Windows CRL processing, please let me know if it does and I’ll remove the provision.<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
For reference, here are the two proposed paragraphs to be added to 13.2.1:<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:10.0pt; font-family:"Courier New"">If a Code Signing Certificate is revoked, and the CA later becomes aware of a more appropriate revocation date, then the CA MAY use that revocation date in subsequent CRL entries and OCSP responses for
that Code Signing Certificate.</span><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:10.0pt; font-family:"Courier New""> </span><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:10.0pt; font-family:"Courier New"">Effective 2022-02-01, if the CA includes the Invalidity Date CRL entry extension in a CRL entry for a Code Signing Certificate, then the time encoded in the Invalidity Date CRL extension SHALL be equal
to the time encoded in the revocationDate field of the CRL entry.</span><span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
Given that the revocation date is potentially security sensitive, I think it’s worthwhile to get this clarified prior to the RFC 3647/Pandoc effort. In addition to comments/questions on the proposed language, we’re looking for two endorsers.<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
Thanks,<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
Corey<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin:0in; font-size:11pt; font-family:"Calibri",sans-serif">
<i>Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the
information it contains. <u>Please notify Entrust immediately</u> and delete the message from your system.</i>
<span style="font-size:12.0pt; font-family:"MS PGothic",sans-serif"></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>