<div dir="ltr">Hi Bruce,<div><br></div><div>There's a whole host of problems that are all so deeply related that they cannot be easily disentangled.</div><div><br></div><div>Note: I introduced the topic in <a href="https://cabforum.org/pipermail/public/2017-April/010730.html">https://cabforum.org/pipermail/public/2017-April/010730.html</a> with the goals. Many of the specific changes - the problem statements - are on the GitHub link, on line-by-line annotations explaining the reasoning and subsequent discussion.</div><div><br></div><div>For the purposes of further discussion:</div><div><br></div><div>* The profile of OCSP that exists (e.g. responder lifetime) is inconsistent with those of browser requirements, meaning that there is an 'effective' minimum already specified that is more than the Baseline Requirements specify, and which every (current) member of the CA/B Forum is already held to<br></div><div>* CAs' deployment of OCSP, today, results in characteristics that prevent or inhibit meaningful efforts to deploy more widestream OCSP stapling</div><div> * CAs' make use of the full profile of OCSP, which is maximally permissive, in a way that introduces significant performance problems (e.g. including the full response chain within the OCSP response)</div><div> * CAs' fail to provide timely OCSP information following the issuance of a certificate, adding an unbounded complexity to the availability of the OCSP response itself</div><div>* CAs' deployment of OCSP, today, results in insecure practices that expose users to unnecessary risk and undermines the trustworthiness of revocation information</div><div> * CAs enable the use of the nonce-extension, particularly with SHA-1, which creates significant risk to clients if the OCSP Responder certificate is not designed appropriately (which cannot be done in the case of non-delegated responder)</div><div> * CAs' delegated responder practices expose keying material to systems outside of the scope of audit. A compromise of this keying material is to effectively compromise revocation for the CA itself</div><div> * CAs' OCSP response signing practices may, in some cases, make an inappropriate risk determination on the protection of responses (particularly pre-generated responses) that is effectively the same as a revocation compromise</div><div><br></div><div>As I mentioned on the original link, CRLs equally benefit from such a profile, and the unnecessarily complexity of some deployments - whether non-spec-conforming deployments (e.g. non-critical issuerDistributionPoints) or poorly optimized deployments (e.g. 1,000,000 certificates all using a single CRL) equally prevent meaningful improvements into the revocation space.</div><div><br></div><div>If we are to have productive conversations about revocations, and the ways in which they are useful to clients - and this is regardless of something like CRLs, CRLSets, or proposals such as CRLLite - then we need to have a consistent profile, much like we do for certificates. The GitHub discussion attempts to set out the overall goals - where do we want to see the system in (N time period) - and then figure out what those values of phasing in (which doesn't necessarily need to be all at once) should be.</div><div><br></div><div>So I think it's important, in this discussion, to focus on the substance of the goal, rather than notions such as timeframes or specific ballots, so we can find some common agreement and understanding of the goals, iterate on the means to achieve them, and then discuss the time necessary. By doing this, we can hopefully reduce the time, by providing more positive signals to the industry (both ISVs and CAs) about directions to consider, invest in, and research.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 24, 2017 at 1:14 PM, Bruce Morton <span dir="ltr"><<a href="mailto:Bruce.Morton@entrustdatacard.com" target="_blank">Bruce.Morton@entrustdatacard.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div class="m_6938629275163763269WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Hi Ryan,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I support the OCSP Responder discussion. I’m wondering if you could also provide a problem statement which we would like to solve. I do not see this information
in the GitHub link.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thanks, Bruce.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Public [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@<wbr>cabforum.org</a>]
<b>On Behalf Of </b>Ryan Sleevi via Public<span class=""><br>
<b>Sent:</b> Monday, May 22, 2017 1:32 PM<br>
<b>To:</b> CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br>
<b>Cc:</b> Ryan Sleevi <<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>><br>
</span><b>Subject:</b> [EXTERNAL]Re: [cabfpub] Draft Agenda for Thursday May 25 CABF Teleconference<u></u><u></u></span></p><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">Hi Kirk,<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I'd be interested if we could spend some time discussing l), if the members interested are able to make the call (Paul van Brouwershaven from GlobalSign if possible, Dimitris, Tim, Bruce). We spent time - both on the bug and the list -
discussing OCSP Responder certificates and their validity lifetime relative to the risks. Assuming we have time, I suspect it might be useful to both recap some of that discussion, and bring it to the attention of the broader group to get feedback and thoughts
on the goals.<u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Sun, May 21, 2017 at 9:03 PM, Kirk Hall via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">Here is a draft agenda for our call this Thursday, May 25. Please offer edits and suggestions.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.25in;line-height:105%">
1.<span style="font-size:7.0pt;line-height:105%"> </span>Roll Call<u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.25in;line-height:105%">
2.<span style="font-size:7.0pt;line-height:105%"> </span>Read Antitrust Statement
<u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.25in;line-height:105%">
3.<span style="font-size:7.0pt;line-height:105%"> </span>Review Agenda<u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:18.35pt;line-height:105%">
Approve Minutes of CABF teleconference of May 11, 2017 as amended<u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.25in;line-height:105%">
4.<span style="font-size:7.0pt;line-height:105%"> </span>Governance Change Working Group update.
<u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.25in;line-height:105%">
5.<span style="font-size:7.0pt;line-height:105%"> </span>Validation Working Group update.
<u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.25in;line-height:105%">
6.<span style="font-size:7.0pt;line-height:105%"> </span>Policy Review Working Group update.
<u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.25in;line-height:105%">
7.<span style="font-size:7.0pt;line-height:105%"> </span>Charter for new Security Controls Working Group (to update Network Security requirements)<u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.25in;line-height:105%">
8.<span style="font-size:7.0pt;line-height:105%"> </span>Ballot Status (see list below)<u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.25in;line-height:105%">
9.<span style="font-size:7.0pt;line-height:105%"> </span>New Bylaw to resolve procedural disputes (ballot errors, voting issues)<u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.25in;line-height:105%">
10.<span style="font-size:7.0pt;line-height:105%"> </span>Next F2F meeting: <u></u>
<u></u></p>
<p class="MsoNormal" style="margin-bottom:1.0pt;margin-left:.35pt;text-indent:17.65pt;line-height:105%">
June 20-22, 2017 Berlin (D-Trust) – Suggested F2F Agenda Items<u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.25in;line-height:105%">
11.<span style="font-size:7.0pt;line-height:105%"> </span>Any Other Business <u></u>
<u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.25in;line-height:105%">
12.<span style="font-size:7.0pt;line-height:105%"> </span>Next call June 8, 2017<u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.25in;line-height:105%">
13.<span style="font-size:7.0pt;line-height:105%"> </span>Adjourn<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">****<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><b>CURRENT STATUS OF BALLOTS (as of May 11, 2017)</b><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><b>1. Ballots in Voting Period</b><u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph">a)<span style="font-size:7.0pt">
</span>Ballot 191 – Clarify Place of Business Information (Jeremy) – ends May 23<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><b>2. Ballots in Discussion Period</b><u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph"><span style="border:none windowtext 1.0pt;padding:0in">a)</span><span style="font-size:7.0pt;border:none windowtext 1.0pt;padding:0in">
</span>Ballot 200 – CA/Browser Forum Code of Conduct<span style="border:none windowtext 1.0pt;padding:0in;background:white"> (Virginia) - ends May 23</span><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><b>3. Ballots in Review Period</b><u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:36.35pt;line-height:105%">
<span style="font-size:9.0pt;line-height:105%;font-family:"Arial",sans-serif">a)</span><span style="font-size:7.0pt;line-height:105%">
</span><span style="border:none windowtext 1.0pt;padding:0in;background:white">Ballot 197 – Effective Date of Ballot 193 Provisions - ends June 2</span><u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-left:36.35pt"><span style="font-size:9.0pt;font-family:"Arial",sans-serif">b)</span><span style="font-size:7.0pt">
</span>Ballot 198 – Onion Revisions – ends June 8 - <i><u>Uncertain</u></i><u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-left:36.35pt"><span style="font-size:9.0pt;font-family:"Arial",sans-serif">c)</span><span style="font-size:7.0pt">
</span>Ballot 199 - Require commonName in Root and Intermediate Certificates – ends June 8<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><b>4. Draft Ballots</b><u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.5in;line-height:105%">
<span style="font-size:9.0pt;line-height:105%;font-family:"Arial",sans-serif">a)</span><span style="font-size:7.0pt;line-height:105%">
</span>Ballot 184 - RFC 822 Names and otherNames, SRV names (Jeremy)<u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.5in;line-height:105%">
<span style="font-size:9.0pt;line-height:105%;font-family:"Arial",sans-serif">b)</span><span style="font-size:7.0pt;line-height:105%">
</span>Ballot 186 – Limiting reuse of validation information (Ryan)<u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.5in;line-height:105%">
<span style="font-size:9.0pt;line-height:105%;font-family:"Arial",sans-serif">c)</span><span style="font-size:7.0pt;line-height:105%">
</span><span style="border:none windowtext 1.0pt;padding:0in;background:white">Ballot 190 – BR 3.2.2.4 Validation Methods (Jeremy)</span><u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.5in;line-height:105%">
<span style="font-size:9.0pt;line-height:105%;font-family:"Arial",sans-serif">d)</span><span style="font-size:7.0pt;line-height:105%">
</span><span style="border:none windowtext 1.0pt;padding:0in;background:white">Ballot 191 – Clarify Place of Business Info (Jeremy)</span><u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.5in;line-height:105%">
<span style="font-size:9.0pt;line-height:105%;font-family:"Arial",sans-serif">e)</span><span style="font-size:7.0pt;line-height:105%">
</span><span style="border:none windowtext 1.0pt;padding:0in;background:white">Ballot 192- Notary Clarification (Jeremy)</span><u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.5in;line-height:105%">
<span style="font-size:9.0pt;line-height:105%;font-family:"Arial",sans-serif">f)</span><span style="font-size:7.0pt;line-height:105%">
</span><span style="border:none windowtext 1.0pt;padding:0in;background:white">Ballot 201 - .Onion Revisions (Jeremy)</span><u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.5in;line-height:105%">
<span style="font-size:9.0pt;line-height:105%;font-family:"Arial",sans-serif">g)</span><span style="font-size:7.0pt;line-height:105%">
</span>RAs and Delegated Third Parties (Gerv)<u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.5in;line-height:105%">
<span style="font-size:9.0pt;line-height:105%;font-family:"Arial",sans-serif">h)</span><span style="font-size:7.0pt;line-height:105%">
</span>Expected ASN.1 grammar for BR & EV certificates (Peter)<u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.5in;line-height:105%">
<span style="font-size:9.0pt;line-height:105%;font-family:"Arial",sans-serif">i)</span><span style="font-size:7.0pt;line-height:105%">
</span>Bylaws change – Membership requirements (Gerv)<u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.5in;line-height:105%">
<span style="font-size:9.0pt;line-height:105%;font-family:"Arial",sans-serif">j)</span><span style="font-size:7.0pt;line-height:105%">
</span>Bylaw change - Voting rules (Jos)<u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.5in;line-height:105%">
<span style="font-size:9.0pt;line-height:105%;font-family:"Arial",sans-serif">k)</span><span style="font-size:7.0pt;line-height:105%">
</span>Requiring RFC 3647 format (Ryan)<u></u><u></u></p>
<p class="m_6938629275163763269m8736879794240613020msolistparagraph" style="margin-right:0in;margin-bottom:1.0pt;margin-left:.5in;line-height:105%">
<span style="font-size:9.0pt;line-height:105%;font-family:"Arial",sans-serif">l)</span><span style="font-size:7.0pt;line-height:105%">
</span>Profiling OCSP & CRLs (Ryan)<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><u></u><u></u></p>
</blockquote>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div></div></div>
</div>
</blockquote></div><br></div>