<html>

  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    Re-porting for Jürgen

    <div class="moz-forward-container"><br>

      Dimitris.<br>

      <br>

      -------- Forwarded Message --------

      <table class="moz-email-headers-table" border="0" cellpadding="0"

        cellspacing="0">

        <tbody>

          <tr>

            <th align="RIGHT" nowrap="nowrap" valign="BASELINE">Subject:

            </th>

            <td>Re: [cabfquest] Draft Ballot 186 - Limiting the Reuse of

              Validation Information</td>

          </tr>

          <tr>

            <th align="RIGHT" nowrap="nowrap" valign="BASELINE">Date: </th>

            <td>Fri, 3 Feb 2017 17:35:12 +0100</td>

          </tr>

          <tr>

            <th align="RIGHT" nowrap="nowrap" valign="BASELINE">From: </th>

            <td>Jürgen Brauckmann <a class="moz-txt-link-rfc2396E" href="mailto:brauckmann@dfn-cert.de"><brauckmann@dfn-cert.de></a></td>

          </tr>

          <tr>

            <th align="RIGHT" nowrap="nowrap" valign="BASELINE">Reply-To:

            </th>

            <td><a class="moz-txt-link-abbreviated" href="mailto:questions@cabforum.org">questions@cabforum.org</a></td>

          </tr>

          <tr>

            <th align="RIGHT" nowrap="nowrap" valign="BASELINE">Organization:

            </th>

            <td>DFN-CERT Services GmbH</td>

          </tr>

          <tr>

            <th align="RIGHT" nowrap="nowrap" valign="BASELINE">To: </th>

            <td>Ryan Sleevi <a class="moz-txt-link-rfc2396E" href="mailto:sleevi@google.com"><sleevi@google.com></a>, CABFPub

              <a class="moz-txt-link-rfc2396E" href="mailto:questions@cabforum.org"><questions@cabforum.org></a></td>

          </tr>

        </tbody>

      </table>

      <br>

      <br>

      <pre>Ryan Sleevi schrieb:

> On Wed, Feb 1, 2017 at 10:49 AM, Ryan Sleevi <a class="moz-txt-link-rfc2396E" href="mailto:sleevi@google.com"><sleevi@google.com></a> wrote:

> 

>> Reposing on behalf of Jürgen Brauckmann <a class="moz-txt-link-rfc2396E" href="mailto:brauckmann@dfn-cert.de"><brauckmann@dfn-cert.de></a>

>>

>> Ryan Sleevi via Public schrieb:

>>>   4. The CA has not revoked any certificates which contain certificate

>>> information verified using the document or data.

>>

>> Your goal is to kill OV?

>>

> 

> And why does OV require revocation? OV totally remains valid, so long as

> you're not revoking those certs.

Vetting for OV certificates is expensive and time consuming. Being

forced to do that every time a certificate is revoked will make it

nearly impossible to maintain that class of certs. Hence my inital comment.

But the discussion progressed substantially to limit "the damage" to

certain revoke reasons:

> As mentioned in my other message just now, beyond keyCompromise, what other

> reasons would you revoke a cert? Surely if you revoke a cert because of

> "affiliationChanged", you should very well be revalidating the affiliation

> before issuing a new cert

Well, there is no revoke reason "domain affiliaton changed" or "server

admin affiliation changed" or "organization affiliation changed".

So, by using X.509 revoke reasons to express policy, we are very coarse.

Thanks,

  Jürgen

[may be reposted to public, thanks]

_______________________________________________

Questions mailing list

<a class="moz-txt-link-abbreviated" href="mailto:Questions@cabforum.org">Questions@cabforum.org</a>

<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/questions">https://cabforum.org/mailman/listinfo/questions</a>

</pre>

    </div>

  </body>

</html>