<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>> The intent here is that the CA defines this, and what they define, they follow. I agree that there's an opportunity to improve the consistency across CAs, but I think similar to SC30, or past work (e.g. CAA), the first step is to permit CAs to work through their policies as to what most appropriate means, based on the criteria they define and the guidance within RFC 5280 and, where appropriate, ITU-T X.509.<br><br><o:p></o:p></p><p class=MsoNormal>Many CAs provide the ability for Subscribers to revoke their own end-entity certificates and supply their own reasonCodes with no manual intervention by CA support personnel. In attempting to fulfill the “MUST” for selecting the most appropriate reasonCode, is the expectation that CAs must now work with the Subscriber on a per-revocation basis to determine the facts and circumstances surrounding the revocation to arrive the most appropriate reasonCode? Or can CAs continue to allow Subscribers to select their own reasonCodes (presumably from an acceptable subset of reasonCodes that can be chosen from)?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal>Corey<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Ryan Sleevi <sleevi@google.com> <br><b>Sent:</b> Thursday, June 25, 2020 12:40 PM<br><b>To:</b> Corey Bonnell <CBonnell@securetrust.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg@cabforum.org><br><b>Subject:</b> Re: [Servercert-wg] Ballot SC31 Browser Alignment - CRL and OCSP profiles<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Thu, Jun 25, 2020 at 12:12 PM Corey Bonnell via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>In giving another pass on the SC31 ballot text, I have the following questions/comments:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>From 7.2.2 (<a href="https://scanmail.trustwave.com/?c=4062&d=ktP03jw8Wsdzf10VIGVklQrreSN-fYkNs3wNRif2sg&s=5&u=https%3a%2f%2fgithub%2ecom%2fcabforum%2fdocuments%2fpull%2f195%2ffiles%23diff-7f6d14a20e7f3beb696b45e1bf8196f2R1986" target="_blank">https://github.com/cabforum/documents/pull/195/files#diff-7f6d14a20e7f3beb696b45e1bf8196f2R1986</a>):<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>> The `CRLReason` indicated MUST NOT be unspecified (0), MUST NOT be certificateHold (6), and MUST indicate the most appropriate reason for revocation of the certificate.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>1. Does this requirement apply to end-entity certificate CRL entries? The formatting makes it appear that it does, but the Root Program requirement where this is derived from only is for CA certificates. <o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>So there's two parts to unpack:<o:p></o:p></p></div><div><p class=MsoNormal>A) Is the reason code required<o:p></o:p></p></div><div><p class=MsoNormal>B) If the reason code is present, what's expected<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The attempt to answer A is<o:p></o:p></p></div><div><p class=MsoNormal><a href="https://scanmail.trustwave.com/?c=4062&d=ktP03jw8Wsdzf10VIGVklQrreSN-fYkNsyBfF3Ck4A&s=5&u=https%3a%2f%2fgithub%2ecom%2fcabforum%2fdocuments%2fpull%2f195%2ffiles%23diff-7f6d14a20e7f3beb696b45e1bf8196f2R1990-R1994">https://github.com/cabforum/documents/pull/195/files#diff-7f6d14a20e7f3beb696b45e1bf8196f2R1990-R1994</a><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>It MUST be present for Intermediates. This comes from Microsoft.<o:p></o:p></p></div><div><p class=MsoNormal>It SHOULD be present for end-entities. This comes from browsers consuming CRLs and acting on them (Apple, Google, Mozilla), and those that prioritize reason status (Google).<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The answer for B is<o:p></o:p></p></div><div><p class=MsoNormal><a href="https://scanmail.trustwave.com/?c=4062&d=ktP03jw8Wsdzf10VIGVklQrreSN-fYkNsyELECX15Q&s=5&u=https%3a%2f%2fgithub%2ecom%2fcabforum%2fdocuments%2fpull%2f195%2ffiles%23diff-7f6d14a20e7f3beb696b45e1bf8196f2R1995-R1997">https://github.com/cabforum/documents/pull/195/files#diff-7f6d14a20e7f3beb696b45e1bf8196f2R1995-R1997</a><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>This is profiling a SHOULD of the relevant RFCs into a MUST, and is effectively saying "Use the smallest possible encoding". If a Subscriber certificate is revoked for an unspecified reason, the "minimal encoding" is actually to omit the CRLReason entirely. It has the same semantics, but saves twelve bytes.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Here, this applies to *all* entries in the CRL. The prohibition on certificateHold reflects the prohibition on certificate suspension.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>2. Given that the semantics of the X.509 reasonCodes are not well defined [1], do Root Programs have guidance on what each allowed reasonCode means and when it is most appropriate to use? Absent this, I think the “MUST” requirement should be relaxed to a “SHOULD” (or eliminated entirely) until there are commonly agreed-upon semantics for the allowed set of reasonCodes.<o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The intent here is that the CA defines this, and what they define, they follow. I agree that there's an opportunity to improve the consistency across CAs, but I think similar to SC30, or past work (e.g. CAA), the first step is to permit CAs to work through their policies as to what most appropriate means, based on the criteria they define and the guidance within RFC 5280 and, where appropriate, ITU-T X.509.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>From 7.3 (<a href="https://scanmail.trustwave.com/?c=4062&d=ktP03jw8Wsdzf10VIGVklQrreSN-fYkNs3NXRnTx5A&s=5&u=https%3a%2f%2fgithub%2ecom%2fcabforum%2fdocuments%2fpull%2f195%2ffiles%23diff-7f6d14a20e7f3beb696b45e1bf8196f2R1998" target="_blank">https://github.com/cabforum/documents/pull/195/files#diff-7f6d14a20e7f3beb696b45e1bf8196f2R1998</a>):<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>> The `CRLReason` used SHALL contain a value permitted for CRLs, as specified in Section 7.2.2.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Similar to question #1 above, does this apply to OCSP responses for end-entity certificates?<o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> If present, yes.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Similar to answer A, this is optional for end-entity certificates to be present, but when it is present, it should follow a consistent form as the CRL, since OCSP and CRLs are meant to be interchangeable to an extent.<o:p></o:p></p></div></div></div></div></div></body></html>