<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Hi Man Ho.</div><div><br></div><div>Please see ballot 100 discussions for details and replies. </div><div><br></div><div>I reached out to 18 months ago on this subject to ask people to liaise with other parties and was stopped so not it seems strange to have people suggest we do this on the back of a vote to help a proportion of the community who have taken so actions.</div><div><br></div><div>I suggest we approve the wording and then discuss the issues in the next call as there will be some CAs that did not make the 1st August deadline for OVSP but they should have spoken up when Ballot 100 was discussed.</div><div><br>Sent from my iPhone</div><div><br>On 19 Jul 2013, at 03:08, "Man Ho (Certizen)" <<a href="mailto:manho@certizen.com">manho@certizen.com</a>> wrote:<br><br></div><div><span></span></div><blockquote type="cite"><div>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
[I am operating a public CA in Hong Kong.]<br>
<br>
Tom and Kelvin have a point. We rely very much on third-party
software products such as Microsoft to run our services. If this
ballot is rushed to vote only for benefits of <span style="color:windowtext">CAB Forum member CAs who had implemented
proprietary OCSP responders,</span> will it in fact cause some
other publicly trusted root CAs removed from the trust list of
browsers?<br>
<br>
Will CAB Forum do a study on how many trusted root CAs can support
it?<br>
<br>
<br>
Man Ho<br>
<br>
<br>
<div class="moz-cite-prefix">On 7/19/2013 9:32 AM, Kelvin Yiu wrote:<br>
</div>
<blockquote cite="mid:5ac6fd05e36f416892e20f5e317ac644@BY2PR03MB190.namprd03.prod.outlook.com" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
p.line867, li.line867, div.line867
{mso-style-name:line867;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
p.line891, li.line891, div.line891
{mso-style-name:line891;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
p.line862, li.line862, div.line862
{mso-style-name:line862;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
p.Default, li.Default, div.Default
{mso-style-name:Default;
mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.anchor
{mso-style-name:anchor;}
span.apple-tab-span
{mso-style-name:apple-tab-span;}
span.EmailStyle29
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle30
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle31
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle32
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle33
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle34
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle35
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">[I am filling
in for Tom while he is enjoying some well-deserved time
off.]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">It is
unfortunate that ballot 105 combined the OCSP issue with the
clarification of audit requirements for subCAs. If one of
the goals of ballot 105 is to provide some “breathing space”
to the August deadline on the OCSP issue, then it must
address the OCSP problem for all CAs, not just those who are
able to take advantage of name constraints.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I think it is
great that the CAB Forum is driving the use of name
constraints to reduce the burden for many customers who
manages a stable set of domains and reduce the risks for the
entire PKI eco-system. It is even more important for the CAB
Forum to produce guidelines that can be fairly applied to
all CAs, even when there is an arbitrary self-imposed
deadline looming over us. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Kelvin<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">
<a class="moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Steve Roylance<br>
<b>Sent:</b> Thursday, July 18, 2013 2:39 PM<br>
<b>To:</b> Stephen Davidson<br>
<b>Cc:</b> Rick Andrews; <a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] Ballot 105 Technical
Constraints for Subordinate Certificate Authorities
yielding broader and safer PKI adoption.<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Hi Tom. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I agree with Stephen that we need to let
105 run its course and amend the wording now, as a number of
enterprise CAs will immediately fail to deliver on the BR
requirements (fully) come August 1st, yet they've been
willing to limit their domain exposure through name
constraints. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I'm fully behind additional language
tweaks above and beyond this ballot to help, and as you
recall I was an advocate of reaching out to CA platform and
OCSP providers, 18 months ago as all these companies have a
vested interest to be members of the CABForum.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Lets get this Ballot implemented and then
discuss at length what makes sense for the industry at
large. There are so many moving parts with CRLs, OSCP
stapling etc that we need to consider all but we need to
consider in a timely fashion and the ballot was written to
allow us some breathing space...... as August is here now.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><br>
Sent from my iPhone<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
On 18 Jul 2013, at 22:01, Stephen Davidson <<a moz-do-not-send="true" href="mailto:S.Davidson@quovadisglobal.com">S.Davidson@quovadisglobal.com</a>>
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
agree that section 13.2.6 is a problem and am happy to
focus attention on that. The top CAs can readily adapt
their own inhouse software – but this section created a
significant cost and obstacle for CAs that use
commercial software, and we may find in Q4 there are a
lot of SSL small players that don’t meet the
requirement.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">However,
the intent of this ballot is to clarify the Mozilla
options for technical constraints in the context of the
BR, and to fill in some of the gaps on how to use them.
The link in with OCSP is a simply rattle-on from that,
and I would hope not to derail the overall ballot.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The
fact is that today all Enterprise CAs that are root
signed must comply with 13.2.6. With this ballot, if
they are audited, they will still need to comply with
13.2.6. If they are constrained, they will not. </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
understand that the same conditions would also apply
with Certificate Transparency …</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a moz-do-not-send="true" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a moz-do-not-send="true" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Rick Andrews<br>
<b>Sent:</b> Thursday, July 18, 2013 3:53 PM<br>
<b>To:</b> Tom Albertson; <a moz-do-not-send="true" href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] Ballot 105 Technical
Constraints for Subordinate Certificate Authorities
yielding broader and safer PKI adoption.</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
tend to agree with Tom that the complexity and risk
might outweigh the potential benefit. And I’m not saying
that because I want the status quo – Symantec has moved
all its certs to our OCSP system that returns “unknown”
for unknown cert serial numbers.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The
intent of this ballot is to allow relying parties to
detect a certificate created by an attacker which has a
valid signature by virtue of hash collisions (the
attacker creates a fake cert that hashes to the same
value as a legitimate cert, and simply copies the good
</span></p></div></blockquote></div></blockquote></div></blockquote></body></html>