<div dir="ltr">Thanks Wayne.<div><br></div><div>I know you're intentionally avoiding the controversial cleanups with this specific Ballot, so it will be good to have a follow-on discussion for those matters, as CAs will no doubt having to make only one update to their CP/CPS versus two. Or, differently stated, I'd hope that the argument for making two updates doesn't preclude discussion of those additional cleanups and ambiguities.</div><div><br></div><div>In reviewing this language in full, a much needed cleanup, one area that stuck out to me, and which may not need to be resolved, but worth considering, are the requirements for revocation if the CA is "made aware of a material change in the information contained in the certificate" (#6 in the 5 day range) and if the CA "determines that any of the information appearing in the Certificate is inaccurate"</div><div><br></div><div>One thing that stuck out was "made aware" versus "determines" - and whether that distinction is significant (all of the other relevant language in this section uses "made aware"). This is, admittedly, a carry over, but I'm curious if there is any significance/impact to changing this to "made aware"</div><div><br></div><div>The next thing that stuck out is determining whether "material change in the information" and "is inaccurate" are, in fact, different. Are there cases where the information is inaccurate due to an (immaterial) change? Are there material changes that don't result in inaccuracy? This couples with the above to leave it a bit messy and gray as to how the CA may classify things.<br><br></div><div>In looking at Section 9.6.1, regarding the CA's warranties, it seems our goal is to provide relying parties both assertions on the correctness of the information at the time it was issued, as well as that the information is correct on an ongoing basis (c.f. 9.6.1 (8)). In terms of predictability and clear expectations for CAs, the determination of material/immaterial, and the flexibility for determination in general, seems to set up potential conflict with the needs of Relying Parties and Subscribers, and leave CAs in a bit of the messy place that some of this ballot tries to get them sorted out from.</div><div><br></div><div><br></div><div>I hope this will prove to be uncontroversial, but the concrete suggestions I would have are:</div><div>1) Strike "material" from 4.9.1.1, p2, Item 6, to read "The CA is made aware of a change in the information contained in the certificate"</div><div>2) Change "determines" to "is made aware" in 4.9.1.1, p2, Item 8, to read "The CA is made aware that any of the information appearing in the Certificate is inaccurate."</div><div><br></div><div>This leaves both 6 and 8, with the intent that Item 8 is meant to capture if the CA made a mistake "at time of issuance" (c.f. Section 9.6.1's warranties the CA makes "at the time of issuance"), and Item 6 is meant to convey the ongoing requirement for the accuracy of information (c.f. 9.6.1's Item 8 and the objective of 9.6.3's requirements on the Subscriber to request changes). That is, this Item 6 captures if the Subscriber fails to meet their ongoing obligations, and the Item 8 captures if the CA failed to meet their initial obligations.</div><div><br></div><div>Does that sound like a reasonable (and hopefully uncontroversial) tweak? If not, then I think it may merit discussing in a separate follow-up ballot, to address the other areas of ambiguity, confusion, or arbitrariness :)</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, Aug 29, 2018 at 1:19 PM Wayne Thayer <<a href="mailto:wthayer@mozilla.com">wthayer@mozilla.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div dir="ltr">On Wed, Aug 29, 2018 at 9:05 AM Ryan Sleevi <<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Wed, Aug 29, 2018 at 11:53 AM Wayne Thayer <<a href="mailto:wthayer@mozilla.com" target="_blank">wthayer@mozilla.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">On Wed, Aug 29, 2018 at 7:33 AM Bruce Morton <<a href="mailto:Bruce.Morton@entrustdatacard.com" target="_blank">Bruce.Morton@entrustdatacard.com</a>> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="auto">
Works for me.
<div><br>
</div>
<div>Bruce.<br>
<div><br>
On Aug 29, 2018, at 10:29 AM, Ryan Sleevi <<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>> wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<div dir="ltr">Just to confirm: Your concern is about the CA feeling that the evidence does not meet any of the requirements to revoke, and wanting it to be clear that that is a valid outcome of a problem report, correct?
<div><br>
</div>
<div>The problem with the suggested wording (and perhaps implicit in the existing wording) is that it suggests that the period to "work with the Subscriber and any entity" is unbounded, and once a determination is made, then it must be within the bounds of
4.9.1.1's time period. That is, say, 24 hoursĀ + as much "work with" time as you want. This is because the modified wording seemingly attaches the "which MUST not" to the date in which the CA will revoke, rather than the overall process.</div>
<div><br>
</div>
<div>The CA SHALL work with the Subscriber and any entity reporting the Certificate Problem Report or other revocation-related notice to establish whether or not the certificate will be revoked, and if so, a date which the CA will revoke the certificate. The
period from report to published revocation MUST NOT exceed the time frame set forth in Section 4.9.1.1.</div>
<div><br></div></div></div></blockquote></div></div></blockquote><div>></div><div>Does "report" here mean the preliminary report on its findings, or the Certificate Problem Report? I am happy to accept this change once that is clarified.</div></div></div></blockquote><div><br></div><div>I was thinking about that on the drive in today :)</div><div><br></div><div>"The period from receipt of report or notice to published revocation" ?</div></div></div></blockquote><div><br></div><div>I made it a bit more specific: <a href="https://github.com/wthayer/documents/commit/570a80cc59cf8beb1b93ff817188f317ac2824c5" target="_blank">https://github.com/wthayer/documents/commit/570a80cc59cf8beb1b93ff817188f317ac2824c5</a><br></div><div><br></div><div>The full set of proposed changes is still at <a href="https://github.com/cabforum/documents/compare/master...wthayer:patch-1" target="_blank">https://github.com/cabforum/documents/compare/master...wthayer:patch-1</a></div><div><br></div><div>Looking to the current v1.9 of the bylaws for guidance, it appears that the change to the discussion period approved in ballot 216 [1] was never incorporated. The current bylaws state "The discussion period then shall take place for at least seven but no more than 14 calendar days before votes are cast. The proposer of the ballot will designate the length of the discussion period, and each ballot shall clearly state the start and end dates and times (including time zone) for both the discussion period and the voting period." Based on this, I plan to redo this ballot.</div><div><br></div><div>I'm assuming that the omission of the ballot 216 language in the new bylaws was a mistake. I'll plan to submit a ballot to fix that.<br></div><div><br></div><div>[1] <a href="https://cabforum.org/2017/12/21/ballot-216-update-discussion-period-process/" target="_blank">https://cabforum.org/2017/12/21/ballot-216-update-discussion-period-process/</a><br></div></div></div></div>
</blockquote></div>