<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 3, 2017 at 9:17 PM, Chris Bailey <span dir="ltr"><<a href="mailto:Chris.Bailey@entrustdatacard.com" target="_blank">Chris.Bailey@entrustdatacard.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="m_-5566813685361842980WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">I checked with my legal team on this issue. The retroactive amendment of an earlier action by a later action is very common under the legal doctrine “nunc pro tunc” – no, I can’t speak
Latin either, but it means “now for then”. Retroactivity will be effective here not because of anything specific on retroactivity in our Bylaws, but from the fact that the second ballot we approve (Ballot 194) will by its terms completely override the conflicting
parts of the earlier ballot we approved (Ballot 193) as of the effective date of the earlier ballot. Because Ballot 194 says it is retroactive to the effective date of Ballot 193, that provision will fully apply once adopted by the Forum as a ballot following
its Bylaws.</span></p></div></div></blockquote><div><br></div><div>That's great that you checked Chris, and I don't mean to be to overly dismissive, but that's not how the CA/Browser Forum Baseline Requirements are written, nor how it's operated.</div><div><br></div><div>It's a technical specification, and one every CA is obligated to state compliance to the latest published version (which has undergone both voting and IP review). You will be violating your CP/CPS if you attempt this retroactive correction, and should receive a qualified audit because of it, independent of Ballot 194, because of this.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="white" lang="EN-US" link="blue" vlink="purple"><div class="m_-5566813685361842980WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">The good news is, members will know whether or not Ballot 194 has passed before Ballot 193 becomes effective, so there will not be any gap period.</span></p></div></div></blockquote><div><br></div><div>This is not true. There is still the IPR review.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="white" lang="EN-US" link="blue" vlink="purple"><div class="m_-5566813685361842980WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"> Ballot 193 will become effective on April
22, assuming no Exclusion Notices are filed by then. Ballot 194 will already have been passed by the members on April 16 (six days earlier), assuming it passes, so members will know that its retroactivity provisions were approved and will likely take effect
as of about May 16, assuming no Exclusion Notices are filed for Ballot 194 during its Review Period.</span></p></div></div></blockquote><div><br></div><div>This is misstating the agreed upon process for ballots. Until it's completed the IP Review, it's not adopted.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="white" lang="EN-US" link="blue" vlink="purple"><div class="m_-5566813685361842980WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"> Because both Ballots 193 and 194 cover the same BR section - BR 4.2.1 - if there are no Exclusion Notices filed for Ballot 193, there probably won’t be any
Exclusion Notices filed for Ballot 194 either.</span></p></div></div></blockquote><div><br></div><div>That's not something the Forum members can or should be stating.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="white" lang="EN-US" link="blue" vlink="purple"><div class="m_-5566813685361842980WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">As noted before, the proposer and endorsers for Ballot 193 meant for all changes to be effective at the same time, March 1, 2018. As to the reuse of validation data, clarifying that the
effective date is March 1, 2018 and not April 22, 2017 makes sense for two main reasons: <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"> <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">(1) CA validation systems have complex rules in their code that track the collection date of validation data (sometimes on a document-by-document basis), and the code includes internal
clocks that tell the CA when a piece of validation data must be revalidated. CAs will need to change that code so revalidation of data is required after 825 days instead of 39 months – this is a significant project that must be done correctly, and developers
are already pretty busy with other major changes like CT logging for all certificates and CAA implementation. </span></p></div></div></blockquote><div><br></div><div>This suggests that CAs are poorly designing their software and/or poorly staffing engineering. I suspect both.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="white" lang="EN-US" link="blue" vlink="purple"><div class="m_-5566813685361842980WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><u></u><u></u></span></p>
<p class="MsoNormal"><br></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">(2) In addition, telling CA vetting teams that as of April 22 they can no longer use properly-collected OV and DV certificate validation data that is more than 825 days old (but still within
the previous 39 month limit for reuse) will force a massive amount of data revalidation all at once – potentially a 50% workload increase for OV and DV certs starting all on a single day. This is an undesirable outcome that was never intended by the ballot
authors. Instead, it’s better for both the shorter certificate validity period and the shorter validation data reuse period to take effect at the same time – March 1, 2018 – so that CAs can plan ahead.</span></p></div></div></blockquote><div><br></div><div>I'm sorry, but it has yet to be demonstrated how this can be true. Nothing requires all of this information be revalidated on a single day. On April 22, when it comes into effect, you only need to revalidate new certificates. This is no different than if you were to acquire a new customer on April 22. There is nothing in Ballot 193 that requires a full re-validation as you've described.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="white" lang="EN-US" link="blue" vlink="purple"><div class="m_-5566813685361842980WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Ballots 193/194 represent a meaningful advance for user security by reducing certificate validity and data reuse periods from 39 months to 825 days. Let’s chalk up that “win” and move
on to the other issues we’re discussing for further security advances.</span></p></div></div></blockquote><div><br></div><div>As proposed, it's a negative for security. Let's focus on making real improvement. </div></div></div></div>