<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.m-8129945046377862576gmail-m-2027377797794697035gmail-gd
{mso-style-name:m_-8129945046377862576gmail-m-2027377797794697035gmail-gd;}
span.m-8129945046377862576gmail-m-2027377797794697035gmail-go
{mso-style-name:m_-8129945046377862576gmail-m-2027377797794697035gmail-go;}
span.m-8129945046377862576gmail-
{mso-style-name:m_-8129945046377862576gmail-;}
span.m-8129945046377862576gmail-m-2027377797794697035gmail-im
{mso-style-name:m_-8129945046377862576gmail-m-2027377797794697035gmail-im;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>What if we decoupled revalidation of organization information and domain validation? Organization information wouldn’t change if a certificate is revoked for key compromise and tends to change less frequently than domain information. We could keep org information at 39 months and specify domain validation must occur more frequently. <o:p></o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></a></p><span style='mso-bookmark:_MailEndCompose'></span><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Wednesday, February 1, 2017 12:24 PM<br><b>To:</b> CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Cc:</b> Jeremy Rowley <jeremy.rowley@digicert.com><br><b>Subject:</b> Re: [cabfpub] Draft Ballot 186 - Limiting the Reuse of Validation Information<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Jeremy,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Did you misread superseded as suspended? "Suspension" is indicated by certificateHold, which is different than the ones listed.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>For sake of completeness, here's the RFC5280 list of revocation reasons:<o:p></o:p></p></div><div><div><p class=MsoNormal> ReasonFlags ::= BIT STRING {<o:p></o:p></p></div><div><p class=MsoNormal> unused (0),<o:p></o:p></p></div><div><p class=MsoNormal> keyCompromise (1),<o:p></o:p></p></div><div><p class=MsoNormal> cACompromise (2),<o:p></o:p></p></div><div><p class=MsoNormal> affiliationChanged (3),<o:p></o:p></p></div><div><p class=MsoNormal> superseded (4),<o:p></o:p></p></div><div><p class=MsoNormal> cessationOfOperation (5),<o:p></o:p></p></div><div><p class=MsoNormal> certificateHold (6),<o:p></o:p></p></div><div><p class=MsoNormal> privilegeWithdrawn (7),<o:p></o:p></p></div><div><p class=MsoNormal> aACompromise (8) }<o:p></o:p></p></div></div></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Wed, Feb 1, 2017 at 11:13 AM, Jeremy Rowley via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Suspension is not permitted under 4.9.13 of the BRs. It didn’t work with the way browsers did caching, making it impossible to unrevoked a cert. Plus, it was pretty suspicious when CRL listings disappeared.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a name="m_-8129945046377862576__MailEndCompose"><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span></a><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Public [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Peter Bowen via Public<br><b>Sent:</b> Wednesday, February 1, 2017 11:58 AM<br><b>To:</b> CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br><b>Cc:</b> Peter Bowen <<a href="mailto:pzb@amzn.com" target="_blank">pzb@amzn.com</a>><br><b>Subject:</b> Re: [cabfpub] Draft Ballot 186 - Limiting the Reuse of Validation Information</span><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Feb 1, 2017, at 10:51 AM, Ryan Sleevi via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<o:p></o:p></p></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Wed, Feb 1, 2017 at 10:49 AM, Ryan Sleevi <<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.5pt'>Reposing on behalf of <span class=m-8129945046377862576gmail-m-2027377797794697035gmail-gd>Jürgen Brauckmann</span> <span class=m-8129945046377862576gmail-m-2027377797794697035gmail-go><<a href="mailto:brauckmann@dfn-cert.de" target="_blank">brauckmann@dfn-cert.de</a>></span></span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span class=m-8129945046377862576gmail-><span style='font-size:9.5pt'>Ryan Sleevi via Public schrieb:</span></span><span style='font-size:9.5pt'><br><span class=m-8129945046377862576gmail-m-2027377797794697035gmail-im>> 4. The CA has not revoked any certificates which contain certificate</span><br><span class=m-8129945046377862576gmail-m-2027377797794697035gmail-im>> information verified using the document or data.</span><br><br><span class=m-8129945046377862576gmail->Your goal is to kill OV?</span></span><o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>And why does OV require revocation? OV totally remains valid, so long as you're not revoking those certs.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>As mentioned in my other message just now, beyond keyCompromise, what other reasons would you revoke a cert? Surely if you revoke a cert because of "affiliationChanged", you should very well be revalidating the affiliation before issuing a new cert; otherwise, you could revoke the cert and totally reissue it using the original bogus information.<o:p></o:p></p></div></div></div></div></div></div></div></div></blockquote><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><div><div><div style='border:none;border-left:solid windowtext 1.0pt;padding:0in 0in 0in 3.0pt;border-left-color:transparent;font-variant-ligatures:normal'><div style='margin-left:22.5pt'><div style='margin-top:3.75pt;margin-right:11.25pt' id="m_-8129945046377862576:5v7"><div id="m_-8129945046377862576:5xj"><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white'><span style='font-size:9.5pt;font-family:"Arial",sans-serif;color:#222222'>Consider these revocation reasons in the X.509 text:<br><br>- superseded indicates that the certificate has been superseded but<br>there is no cause to suspect that the private key has been compromised<br><br>- cessationOfOperation indicates that the certificate is no longer<br>needed for the purpose for which it was issued but there is no cause<br>to suspect that the private key has been compromise<br><br>If a customer is replacing certificate X with certificate Y (probably<br>with the same SANs), it is completely reasonable for them to request<br>revocation of X once Y is fully deployed. I would use "superseded"<br>for this case. It is also possible that a customer ceases to use a<br>server and wants to revoke using "cessationOfOperation". Neither of<br>these cases says anything about the validity of the domain<br>registration or organization information.<br><br>Thanks,<br>Peter</span><o:p></o:p></p></div></div></div></div></div></div></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>