<div dir="ltr">Google votes YES</div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jul 14, 2016 at 7:17 AM, Josh Aas <span dir="ltr"><<a href="mailto:josh@letsencrypt.org" target="_blank">josh@letsencrypt.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Ballot 173 - Removal of requirement to cease use of private key due to<br>
incorrect certificate info<br>
<br>
The following motion has been proposed by Josh Aas of ISRG / Let's<br>
Encrypt. Ben Wilson of Digicert and Chris Bailey of Entrust endorse.<br>
<br>
Background:<br>
<br>
BR Section 9.6.3 point 5 says:<br>
<br>
"Reporting and Revocation: An obligation and warranty to promptly<br>
cease using a Certificate and its associated Private Key, and promptly<br>
request the CA to revoke the Certificate, in the event that: (a) any<br>
information in the Certificate is, or becomes, incorrect or<br>
inaccurate, or (b) there is any actual or suspected misuse or<br>
compromise of the Subscriber’s Private Key associated with the Public<br>
Key included in the Certificate;"<br>
<br>
There is a problem here, which is that this requires a subscriber to<br>
stop using a private key just because information in a certificate is<br>
inaccurate or incorrect. People should stop using a cert with<br>
inaccurate or incorrect information, but they shouldn't be required to<br>
stop using a key pair unless there is known or suspected compromise.<br>
<br>
This is particularly problematic for HPKP.<br>
<br>
--Motion Begins--<br>
<br>
Effective upon the date of passage, the following modifications are<br>
made to the Baseline Requirements:<br>
<br>
Change the following text in Section 9.6.3:<br>
=======================<br>
Reporting and Revocation: An obligation and warranty to promptly cease<br>
using a Certificate and its associated Private Key, and promptly<br>
request the CA to revoke the Certificate, in the event that: (a) any<br>
information in the Certificate is, or becomes, incorrect or<br>
inaccurate, or (b) there is any actual or suspected misuse or<br>
compromise of the Subscriber’s Private Key associated with the Public<br>
Key included in the Certificate;<br>
=======================<br>
<br>
To:<br>
=======================<br>
Reporting and Revocation: An obligation and warranty to: (a) promptly<br>
request revocation of the Certificate, and cease using it and its<br>
associated Private Key, if there is any actual or suspected misuse or<br>
compromise of the Subscriber’s Private Key associated with the Public<br>
Key included in the Certificate; and (b) promptly request revocation<br>
of the Certificate, and cease using it, if any information in the<br>
Certificate is or becomes incorrect or inaccurate.<br>
=======================<br>
<br>
--Motion Ends--<br>
<br>
The review period for this ballot shall commence at 2200 UTC on 14<br>
July 2016, and will close at 2200 UTC on 21 July 2016. Unless the<br>
motion is withdrawn during the review period, the voting period will<br>
start immediately thereafter and will close at 2200 UTC on 28 July<br>
2016. Votes must be cast by posting an on-list reply to this thread.<br>
<br>
A vote in favor of the motion must indicate a clear 'yes' in the<br>
response. A vote against must indicate a clear 'no' in the response. A<br>
vote to abstain must indicate a clear 'abstain' in the response.<br>
Unclear responses will not be counted. The latest vote received from<br>
any representative of a voting member before the close of the voting<br>
period will be counted. Voting members are listed here:<br>
<a href="https://cabforum.org/members/" rel="noreferrer" target="_blank">https://cabforum.org/members/</a><br>
<br>
In order for the motion to be adopted, two thirds or more of the votes<br>
cast by members in the CA category and greater than 50% of the votes<br>
cast by members in the browser category must be in favor. Quorum is<br>
currently ten (10) members– at least ten members must participate in<br>
the ballot, either by voting in favor, voting against, or abstaining.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Josh Aas<br>
Executive Director<br>
Internet Security Research Group<br>
Let's Encrypt: A Free, Automated, and Open CA<br>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
</font></span></blockquote></div><br></div>