<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I pointed you to the deprecation schedule for Windows 8: January 10,
2023<br>
<br>
<div class="moz-cite-prefix">On 4/22/2016 6:08 PM, Jeremy Rowley
wrote:<br>
</div>
<blockquote
cite="mid:618da8b5cb834a7ebf7836456ea5f1ff@EX2.corp.digicert.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">I
think this depends on when Microsoft deprecates Windows 8.
<o:p></o:p></span></p>
<p class="MsoNormal"><a moz-do-not-send="true"
name="_MailEndCompose"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"><o:p> </o:p></span></a></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
Rich Smith [<a class="moz-txt-link-freetext" href="mailto:richard.smith@comodo.com">mailto:richard.smith@comodo.com</a>] <br>
<b>Sent:</b> Friday, April 22, 2016 4:30 PM<br>
<b>To:</b> Jeremy Rowley
<a class="moz-txt-link-rfc2396E" href="mailto:jeremy.rowley@digicert.com"><jeremy.rowley@digicert.com></a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] Proposed new ballot on IP
Addresses in SANs<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">OK, what's the
phase out period, because anything less than 7 years is going
to REQUIRE Microsoft to agree to start back porting critical
fixes to their older operating systems, and since it's been
made abundantly clear on numerous occasions that this Forum
has no power to enforce, or even set, requirements for PKI
trust stores/browser vendors what teeth do we possibly have to
make sure that happens?<br>
-Rich<o:p></o:p></p>
<div>
<p class="MsoNormal">On 4/22/2016 4:23 PM, Jeremy Rowley
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">That’s
exactly why we should endorse with a phase out period.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Rich Smith<br>
<b>Sent:</b> Friday, April 22, 2016 4:13 PM<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] Proposed new ballot on
IP Addresses in SANs</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">I'd just
like to also point out that given Microsoft's apparent lack
of interest in back porting any of these changes to their
PKI handling to anything older than Windows 10, and based
upon this:<br>
<a moz-do-not-send="true"
href="http://windows.microsoft.com/en-us/windows/lifecycle">http://windows.microsoft.com/en-us/windows/lifecycle</a><br>
Any exception made will be with us until at least January
10, 2023. I don't really see that as something this group
should endorse.<br>
<br>
-Rich<o:p></o:p></p>
<div>
<p class="MsoNormal">On 4/22/2016 3:44 PM, Ryan Sleevi
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On Fri, Apr 22, 2016 at 12:45 PM,
Peter Bowen <<a moz-do-not-send="true"
href="mailto:pzb@amzn.com" target="_blank">pzb@amzn.com</a>>
wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<p class="MsoNormal">So it would seem that this
solution might not be the best option.<o:p></o:p></p>
</blockquote>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">"Not the best" isn't the goal.
It's "Don't violate RFC5280" that should be the
goal.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Multiple SANs is a complete
red-herring as to the issue. There's no
requirement that such certificates have them.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Common name deprecation is
equally a red-herring. If it offers a viable path
for these clients, without the attendant security
issues and *fundamental violation of RFC5280*,
it's worth exploring.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">That there's been no further
explanation other than "Meh" is, unquestionably,
not a position we can endorse, but even moreso, a
policy of "Oh well, we'll violate them anyways" is
just grossly irresponsible.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<p class="MsoNormal">The best solution would be for
clients to be updated to follow RFC 2818 and check
iPAddress entries in the SAN.<o:p></o:p></p>
</blockquote>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Indeed, and Microsoft can solve
this very easily, without the same risks and
compatibility issues of nameConstraints.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">We considered the RFC5280
non-criticality of nameConstraints because it
offered significant positive security value for a
majority of clients, without compatibility risks.
The iPAddresses provide no positive security value
- other than allowing CAs to sell to users with
buggy software that their vendor doesn't want to
fix - and come with significant compatibility and
security risks.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<p class="MsoNormal"><br>
To me, it seems that allowing string-ified IP
address in dNSName entries in the SAN when the
same IP address is included as an iPAddress entry
in the SAN is a reasonable tradeoff. It is no
worse than including the same in the common name.
As you have pointed out, a string-ified IP address
can never match a hostname, so there is no chance
of confusion <o:p></o:p></p>
</blockquote>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I've already explained to you
why this is incorrect. It's unfortunate that you
continue to suggest this line of thinking. A
string-ified IP address is not a valid hostname.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<p class="MsoNormal">If you have a client that
properly conforms to RFC 2818, then this is a
no-op for you — you will look at the IPaddress
entry and never try to match on DNSname. You had
expressed concern that Mozilla would need to
update its code, but Gerv had indicated back in
August that this was not necessary (<a
moz-do-not-send="true"
href="https://cabforum.org/pipermail/public/2015-August/005850.html"
target="_blank">https://cabforum.org/pipermail/public/2015-August/005850.html</a>).<o:p></o:p></p>
</blockquote>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">That's not what is in the
ballot. What is in the ballot can and will cause
compatibility issues. It also suggests that Chrome
would need to adopt Firefox's peculiar behaviour
(only validating presented identifiers as they're
encountered, rather than at parse time). That's
not something we are comfortable with
implementing, and especially not foisting upon the
ecosystem to know about the "special" rules the
CA/B Forum embraces. There's already enough magic
in the WebPKI - we shouldn't knowingly introduce
more.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<p class="MsoNormal">I appreciate that conformance
is a great goal, but not causing customer pain is
also a laudable goal. In this case it seems the
risk is low and the customer value is high.<o:p></o:p></p>
</blockquote>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">There has yet to be a
demonstration of the customer value compared to
the solution posed 8 months ago. There's clearly
a demonstration of CA value - they do less work -
and of browser value - Microsoft does less work -
but there has yet to be an articulation of why the
solution is non-viable. The closest comment is
Jeremy saying they've investigated, it's not
practical - but provided zero evidence or
technical detail that would allow a reasoned
weighing of the risk versus reward. Instead, we
see CAs eager to violate RFC5280, easy to cause
compatibility issues with clients, and w/o
apparent care for the long-term damage to the
ecosystem they would be doing.<o:p></o:p></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Public mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"> <o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>