<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 17/4/2017 6:02 μμ, Ryan Sleevi via
Public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CACvaWvZftETuniXRCoDXE5+Ot=xniK1TcCgpRF4+OtcuRp-UjQ@mail.gmail.com">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Apr 17, 2017 at 10:40 AM,
Gervase Markham via Public <span dir="ltr"><<a
href="mailto:public@cabforum.org" target="_blank"
moz-do-not-send="true">public@cabforum.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="">On 17/04/17 15:28, Jeremy Rowley wrote:<br>
> Doesn't this ballot suffer from the same limitation
that Ryan raised in<br>
> connection with the domain validation ballot?
Namely, that this language<br>
> "For the avoidance of doubt, these updated
requirements apply only to root<br>
> and intermediate certificates issued after the
Effective Date of this<br>
> ballot, which is upon approval (i.e. at the end of
the IPR Review Period if<br>
> no Exclusion Notices are filed)" needs to be part
of the document text?<br>
<br>
</span><sigh><br>
<br>
I think that the plain and only sensible way to understand
the BRs is<br>
that particular rules apply only to actions taken when
those rules are<br>
in force. So if a motion e.g. alters the rules surrounding
the issuance<br>
of intermediate certificates, by default the new rules
apply only to<br>
issuances of intermediate certificates that happen after
the motion<br>
fully passes (i.e. after IPR review is complete). Such a
motion does not<br>
by default require the revocation and replacement of all
previous<br>
intermediate certificates which do not now meet the
updated rules.<br>
<br>
This default can, of course, be changed by explicit
wording in the<br>
motion which adds an instruction to the BRs to e.g. revoke
all previous<br>
certs or make any other provision retroactive, but that's
not the default.<br>
<br>
[How does this apply to the current debate about
information reuse?<br>
Information reuse is an action. So BR rules about
information reuse<br>
apply when you reuse information. BR rules about gathering
information<br>
apply when you gather information. But let's not get
sidetracked by that<br>
in this thread.]<br>
<br>
Kirk was keen that the motion state this explicitly, so I
added<br>
something to the motion to state this explicitly, "for the
avoidance of<br>
doubt". However, I personally don't believe that there's
any doubt. And<br>
I don't think we want to clutter up the BRs with things
which basically<br>
say "this rule applies only to things which happen under
the auspices of<br>
this document." I think that's obvious.</blockquote>
<div><br>
</div>
<div>I agree with both your summary and your conclusion.</div>
<div><br>
</div>
<div>The BRs represent a state of the CA's compliance at a
point in time with respect to what they issue. It does not
govern past actions, nor can it indemnify them. It can,
however, require that on a particular date, some action is
taken - such as revoking past certificates. <br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
When a CA is being audited for a period-in-time (say June 2016 -
June 2017), they are usually audited against an audit criteria
(Webtrust or ETSI) that incorporate a certain version of the BRs,
usually not the latest. If they are audited with the latest version
of the BRs that don't take into consideration a transition phase for
some cases like the timestamping issuance or the Intermediate CA
Certificate without a CN, it might lead to problems. <br>
<br>
For example, if a CA issued an Intermediate CA Certificate in August
2016 without a CN, and the BRs were updated in May 2017, when the
auditor comes in at the end of the audit period in June 2017 and
checks everything against the latest BRs, they will consider the
Intermediate CA issued in August 2016 as being mis-issued. Of course
the CA can explain to the auditors that the BRs changed in May 2017
and enter a discussion with them but why shouldn't we try to avoid
this?<br>
<br>
I would also encourage adding an effective date for this ballot just
as we did for ballot 189.<br>
<br>
<br>
Dimitris.<br>
<br>
<br>
<blockquote type="cite"
cite="mid:CACvaWvZftETuniXRCoDXE5+Ot=xniK1TcCgpRF4+OtcuRp-UjQ@mail.gmail.com"><br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>