<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.m-5999786589228784968gmail-m2362908302630538494gmail-m3362260135795645707gmail-blob-code-inner
{mso-style-name:m_-5999786589228784968gmail-m_2362908302630538494gmail-m_3362260135795645707gmail-blob-code-inner;}
span.m-5999786589228784968gmail-m2362908302630538494gmail-m3362260135795645707gmail-x
{mso-style-name:m_-5999786589228784968gmail-m_2362908302630538494gmail-m_3362260135795645707gmail-x;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>I’ll endorse this.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>-Tim<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Public [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Wayne Thayer via Public<br><b>Sent:</b> Thursday, June 21, 2018 6:24 PM<br><b>To:</b> CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Subject:</b> Re: [cabfpub] [EXTERNAL] Reviving Ballot 213 - Revocation Timeline Extension<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>Our discussion of this proposal at the F2F uncovered two issues:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>1. A minor update to section 4.9.5 clarifying that the report the CA must produce within 24 hours of receiving a problem report is meant to be a report on the current status of their investigation. This is now described as a "preliminary report". [1]<o:p></o:p></p></div><div><p class=MsoNormal>2. A long discussion [2] about removing revocation reason 4.9.1.1(4): The CA obtains evidence that the Certificate was misused; The scope of this change (including Geoff's observation about the definition of key compromise and the desire to allow use/misuse to be defined in accordance with RFC 3647) is big enough that I've decided to leave those changes for a separate ballot (that I will propose unless someone else beats me to it).<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Are two members willing to endorse the current ballot proposal [3]?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I will convert this to a formal ballot and begin the discussion period after the July 2nd governance change.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Wayne<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>[1] <a href="https://github.com/wthayer/documents/commit/0a214f0bb5a09db4d12e2dc6f19463dcdef6c82a" target="_blank">https://github.com/wthayer/documents/commit/0a214f0bb5a09db4d12e2dc6f19463dcdef6c82a</a><o:p></o:p></p></div><div><p class=MsoNormal>[2] <a href="https://cabforum.org/pipermail/public/2018-June/013547.html" target="_blank">https://cabforum.org/pipermail/public/2018-June/013547.html</a><o:p></o:p></p></div><div><p class=MsoNormal>[3] <a href="https://github.com/cabforum/documents/compare/master...wthayer:patch-1" target="_blank">https://github.com/cabforum/documents/compare/master...wthayer:patch-1</a><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Thu, May 17, 2018 at 1:17 AM Kirk Hall <<a href="mailto:Kirk.Hall@entrustdatacard.com" target="_blank">Kirk.Hall@entrustdatacard.com</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#1F497D'>I will add this to the Agenda for the F2F plenary session in London</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From:</b> Public [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Wayne Thayer via Public<br><b>Sent:</b> Wednesday, May 16, 2018 1:00 PM<br><b>To:</b> CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br><b>Subject:</b> [EXTERNAL][cabfpub] Reviving Ballot 213 - Revocation Timeline Extension<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Lat year, Jeremy proposed changes to section 4.9 of the BRs. I'd like to revive that discussion with the following ballot proposal: <a href="https://github.com/cabforum/documents/compare/master...wthayer:patch-1" target="_blank">https://github.com/cabforum/documents/compare/master...wthayer:patch-1</a><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Summary of Changes:<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>* The first change creates a tiered timeline for revocations. The most critical "reasons" still require revocation within 24 hours, but for many others 24 hours becomes a SHOULD and the CA has 5 days before they MUST revoke. This was the original motivation for the ballot, due in part to last year's wave of misissued certs identified by linting tools.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>* A new critical (24 hour) "reason for revocation" was added to address the fact that there is currently no requirement for CAs to revoke a certificate when requested by the domain name registrant. After considering some more specific language that required CAs to follow 3.2.2.4 to validate domain control, I settled on the following more general "reason": "<span class=m-5999786589228784968gmail-m2362908302630538494gmail-m3362260135795645707gmail-blob-code-inner>The CA obtains evidence that the validation of domain authorization or control for any Fully-Qualified Domain Name or IP address in the Certificate should not be relied upon</span>."<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>* Reason #10 states "<span class=m-5999786589228784968gmail-m2362908302630538494gmail-m3362260135795645707gmail-blob-code-inner>The CA determines that any of the information appearing in the Certificate is inaccurate</span><span class=m-5999786589228784968gmail-m2362908302630538494gmail-m3362260135795645707gmail-x> or misleading</span><span class=m-5999786589228784968gmail-m2362908302630538494gmail-m3362260135795645707gmail-blob-code-inner>;</span>" This ballot removes "or misleading" because that is a subjective judgement that could effectively be used to justify censorship, as discussed at length in relation to the "Stripe, Inc of Kentucky" EV certificates. [1]<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>* Current reasons #11 and #13 were removed from the section on subscriber certificates because they address cases where the intermediate and/or root must be revoked, so there isn't much sense (and some possible harm) in requiring revocation of all the leaf certs.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>* It requires CAs to disclose their problem reporting mechanisms in a standard location: CPS section 1.5.2.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>* Within 24 hours of receiving a problem report, the CA is now required to report back to both the entity reporting the problem and the Subscriber on the CA's findings, and to work with the reporter to establish a date by which the CA will revoke the certificate.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>This proposal has already been the subject of some debate on GitHub [2]. I encourage you to review that and last year's discussions [3][4][5] on this list.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I would appreciate your review and feedback on this proposal.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I think this is a good topic for the London meeting - Kirk, can we reserve a slot during the plenary session?<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Wayne<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>[1] <a href="https://groups.google.com/d/msg/mozilla.dev.security.policy/NjMmyA6MxN0/Kj9T8WQ1CQAJ" target="_blank">https://groups.google.com/d/msg/mozilla.dev.security.policy/NjMmyA6MxN0/Kj9T8WQ1CQAJ</a><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>[2] <a href="https://github.com/wthayer/documents/pull/1#discussion_r185324648" target="_blank">https://github.com/wthayer/documents/pull/1#discussion_r185324648</a><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>[3] <a href="https://cabforum.org/pipermail/public/2017-August/thread.html#11880" target="_blank">https://cabforum.org/pipermail/public/2017-August/thread.html#11880</a><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>[4]<a href="https://cabforum.org/pipermail/public/2017-September/thread.html#11880" target="_blank">https://cabforum.org/pipermail/public/2017-September/thread.html#11880</a><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>[5]<a href="https://cabforum.org/pipermail/public/2017-October/thread.html#12290" target="_blank">https://cabforum.org/pipermail/public/2017-October/thread.html#12290</a><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div></div></blockquote></div></div></div></div></div></body></html>