<div dir="ltr">That seems reasonable - we haven't even started the discussion period yet because Corey's been sending corrections on GitHub :)</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Aug 13, 2020 at 9:53 AM Mads Egil Henriksveen <<a href="mailto:Mads.Henriksveen@buypass.no">Mads.Henriksveen@buypass.no</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="NO-BOK">
<div class="gmail-m_-2313370928605245977WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Hi Ryan<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Buypass has been working with improvements to the language in EVGL 9.8.2 to remove a possible ambiguity and to clarify
what to be included in the cabfOrganizationIdentifier extension. <u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Our current proposal for improvement is a minor change and as this ballot addresses clarification for language that has
been viewed as ambiguous, we suggest to include our proposal in this ballot. We acknowledge that this change may be too late in the process for this ballot.
<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">We propose to change the last paragraph of EVGL 9.8.2 from:<u></u><u></u></span></p>
<p class="MsoNormal" style="text-indent:35.4pt"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">“where the subfields and have the same meanings and restrictions described in Section 9.2.8.
The CA SHALL validate the contents using the requirements in Section 9.2.8.“<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">to<u></u><u></u></span></p>
<p class="MsoNormal" style="text-indent:35.4pt"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">“where the subfields have the same values, meanings and restrictions described in Section 9.2.8.
The CA SHALL validate the contents using the requirements in Section 9.2.8.”<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Regards<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Mads<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif">From:</span></b><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif"> Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank">servercert-wg-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Ryan Sleevi via Servercert-wg<br>
<b>Sent:</b> torsdag 6. august 2020 18:57<br>
<b>To:</b> CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br>
<b>Subject:</b> [Servercert-wg] Ballot SC##: Cleanups and Clarifications<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">Per our call today, I've created draft versions of the Cleanups and Clarifications ballot and opened them as PRs in the main CA/Browser Forum repository<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I'm seeking two endorsers for this ballot. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><a href="https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fpull%2F207&data=02%7C01%7C%7C88d6160f7cdf4956a68a08d83a29ef0d%7C57919b2e6d5b40b9a34a55bddb02dfee%7C0%7C0%7C637323299089262280&sdata=foXC0r%2FIMu0r1t4juU7%2FHenwSRoSoPdTdp8xWeS5j%2BU%3D&reserved=0" target="_blank">https://github.com/cabforum/documents/pull/207</a> is
the version of the ballot against the completed SC30 and SC31 (i.e. assuming no IP exclusions are filed that necessitate the formation of a PAG). That is, this is the version folks "should" review.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> - <a href="https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fpull%2F208&data=02%7C01%7C%7C88d6160f7cdf4956a68a08d83a29ef0d%7C57919b2e6d5b40b9a34a55bddb02dfee%7C0%7C0%7C637323299089272232&sdata=0gqvbAtn7bvKHRry413Cev1GLKqFBHej9PUiffos4HI%3D&reserved=0" target="_blank">https://github.com/cabforum/documents/pull/208</a> is
the version **without** SC30 and SC31. It's provided in the event something happens re: SC30/SC31, but will almost certainly be closed without action assuming all is well with those ballots.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I am copy/pasting the description of changes and their explanation from the PR at the bottom of this e-mail, although certainly viewing it on the PR is likely easier for folks.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">=============<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Purpose of Ballot:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">This ballot attempts to fix the numerous typographical and editorial issues that have been identified in the SCWG documents ("spring cleanup"), such as incorrect section references, expired effective dates, or spelling and grammatical mistakes.
Additionally, it attempts to provide guidance and clarification for language that has been viewed as ambiguous, multiple, or conflicting interpretations.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">CAs SHOULD carefully review each change, to ensure no normative impact upon their CA operations and practices that may have resulted from these ambiguities and consistency issues.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">The following motion has been proposed by Ryan Sleevi of Google and endorsed by xxx of yyy and xxx of yyy.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">-- MOTION BEGINS --<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">This ballot modifies the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" ("Baseline Requirements"), based on Draft Version 1.7.x with SC30 and SC31:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">MODIFY the Baseline Requirements as defined in the following redline:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><a href="https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fcompare%2F1e0f7662c909c983bc4f534469fb0f01a5120f39...6bf0eec61a8ba4d9f97e33134da09ef4d2936b5c&data=02%7C01%7C%7C88d6160f7cdf4956a68a08d83a29ef0d%7C57919b2e6d5b40b9a34a55bddb02dfee%7C0%7C0%7C637323299089272232&sdata=ZbCEihhKqDiH%2FzKKqAGsLwHY6GFoOhJxKi2b%2Bd0aPQo%3D&reserved=0" target="_blank">https://github.com/cabforum/documents/compare/1e0f7662c909c983bc4f534469fb0f01a5120f39...6bf0eec61a8ba4d9f97e33134da09ef4d2936b5c</a><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">This ballot modifies the "Guidelines for the Issuance and Management of Extended Validation Certificates" ("EV Guidelines") as follows, based on Draft Version 1.7.x with SC30 and SC31:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">MODIFY the EV Guidelines as defined in the following redline:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><a href="https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fcompare%2F1e0f7662c909c983bc4f534469fb0f01a5120f39...6bf0eec61a8ba4d9f97e33134da09ef4d2936b5c&data=02%7C01%7C%7C88d6160f7cdf4956a68a08d83a29ef0d%7C57919b2e6d5b40b9a34a55bddb02dfee%7C0%7C0%7C637323299089272232&sdata=ZbCEihhKqDiH%2FzKKqAGsLwHY6GFoOhJxKi2b%2Bd0aPQo%3D&reserved=0" target="_blank">https://github.com/cabforum/documents/compare/1e0f7662c909c983bc4f534469fb0f01a5120f39...6bf0eec61a8ba4d9f97e33134da09ef4d2936b5c</a><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">The above modifications assumes the successful completion of the IP review period of Ballots SC30 and SC31, as announced at <a href="https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Farchive.cabforum.org%2Fpipermail%2Fservercert-wg%2F2020-July%2F002117.html&data=02%7C01%7C%7C88d6160f7cdf4956a68a08d83a29ef0d%7C57919b2e6d5b40b9a34a55bddb02dfee%7C0%7C0%7C637323299089282189&sdata=1qGqbGN9pp5T%2BM9dTcxwLeAHP3zlcnmbfu67MEcuWHQ%3D&reserved=0" target="_blank">https://archive.cabforum.org/pipermail/servercert-wg/2020-July/002117.html</a> ,
and reflect changes to overlapping sections on that assumption. Per CA/Browser Forum Bylaws 2.4(10), should those ballots fail to be finally adopted, the following modifications shall be made, as based upon the Version 1.7.0 of the Baseline Requirements and
1.7.2 of the EV Guidelines, as accounting for changes within these overlapping sections:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<div>
<p class="MsoNormal">MODIFY the Baseline Requirements as defined in the following redline:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><a href="https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fcompare%2F5f804ccd4a202036a9868d1c43849e43e4c4853d...9cb110f792228d8ac5d618a32a39767d0b24d679&data=02%7C01%7C%7C88d6160f7cdf4956a68a08d83a29ef0d%7C57919b2e6d5b40b9a34a55bddb02dfee%7C0%7C0%7C637323299089282189&sdata=bCf9jxNUXh%2FgmjpvZAhVNwzojdTITZFfjGT%2BvGOHH3M%3D&reserved=0" target="_blank">https://github.com/cabforum/documents/compare/5f804ccd4a202036a9868d1c43849e43e4c4853d...9cb110f792228d8ac5d618a32a39767d0b24d679</a><u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">MODIFY the EV Guidelines as defined in the following redline:<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><a href="https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fcompare%2F5f804ccd4a202036a9868d1c43849e43e4c4853d...9cb110f792228d8ac5d618a32a39767d0b24d679&data=02%7C01%7C%7C88d6160f7cdf4956a68a08d83a29ef0d%7C57919b2e6d5b40b9a34a55bddb02dfee%7C0%7C0%7C637323299089292145&sdata=CW5%2BFVhNZ%2F065wVNlqJmrqY%2B0I1fQb4jyFrYL%2BZZXOY%3D&reserved=0" target="_blank">https://github.com/cabforum/documents/compare/5f804ccd4a202036a9868d1c43849e43e4c4853d...9cb110f792228d8ac5d618a32a39767d0b24d679</a><u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">-- MOTION ENDS --<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">This ballot proposes two Final Maintenance Guidelines.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><br>
The procedure for approval of this ballot is as follows:<br>
<br>
Discussion (7+ days)<br>
Start Time: TBD<br>
End Time: TBD<br>
<br>
Vote for approval (7 days)<br>
Start Time: TBD<br>
End Time: TBD<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Description from the PR:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"># Overview<br>
<br>
This ballot attempts to fix the numerous typographical and editorial issues that have been identified in the SCWG documents ("spring cleanup"), such as incorrect section references, expired effective dates, or spelling and grammatical mistakes. Additionally,
it attempts to provide guidance and clarification for language that has been viewed as ambiguous, multiple, or conflicting interpretations.<br>
<br>
## Changes<br>
### EV Guidelines<br>
* The "Subject Organization Identifier Extension" is not a defined term, and is corrected to "CA/Browser Forum Organization Identifier Extension" throughout (
<a href="https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fissues%2F152&data=02%7C01%7C%7C88d6160f7cdf4956a68a08d83a29ef0d%7C57919b2e6d5b40b9a34a55bddb02dfee%7C0%7C0%7C637323299089292145&sdata=20xDGbpAKvNqJdSzMRlZrEXS9bdMX5rtlTf0jObtiOQ%3D&reserved=0" target="_blank">
https://github.com/cabforum/documents/issues/152</a> )<br>
* The effective dates in Section 8.2.2 have been removed, as the last effective date was 31 May 2018. (
<a href="https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fissues%2F161&data=02%7C01%7C%7C88d6160f7cdf4956a68a08d83a29ef0d%7C57919b2e6d5b40b9a34a55bddb02dfee%7C0%7C0%7C637323299089292145&sdata=6U5SfPuwxIlskiVY8NsN9RppH61zCtDB44FpYg01%2FjE%3D&reserved=0" target="_blank">
https://github.com/cabforum/documents/issues/161</a> ) <br>
* Section 9.8.2 misspelled "Forum" as "Form"<br>
* The effective date in Section 9.8.2 has been removed, as it was effective 31 January 2020 (
<a href="https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fissues%2F161&data=02%7C01%7C%7C88d6160f7cdf4956a68a08d83a29ef0d%7C57919b2e6d5b40b9a34a55bddb02dfee%7C0%7C0%7C637323299089302105&sdata=VKMvUl8ybQKOduRQcAH%2BGqJXOB4J7lebqVU52D%2FIBhk%3D&reserved=0" target="_blank">
https://github.com/cabforum/documents/issues/161</a> )<br>
* Section 11.12.2 is corrected to point to the latest IFAC and BIS lists ( <a href="https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fissues%2F76&data=02%7C01%7C%7C88d6160f7cdf4956a68a08d83a29ef0d%7C57919b2e6d5b40b9a34a55bddb02dfee%7C0%7C0%7C637323299089302105&sdata=yJ1K5atnOVMZ59Su1E6hXe8SWjrzI0ICLf8NOwOQPSI%3D&reserved=0" target="_blank">
https://github.com/cabforum/documents/issues/76</a> )<br>
* Appendix H is corrected to refer to Section 9.8.2, not Section 9.8.1 ( <a href="https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fissues%2F152&data=02%7C01%7C%7C88d6160f7cdf4956a68a08d83a29ef0d%7C57919b2e6d5b40b9a34a55bddb02dfee%7C0%7C0%7C637323299089312063&sdata=uBPFoPTTRgMJPmHMTWca96fERZY2uJUbONR13n9cHyw%3D&reserved=0" target="_blank">
https://github.com/cabforum/documents/issues/152</a> )<br>
<br>
### Baseline Requirements<br>
* The references to CAA are updated to refer to RFC 8659, which incorporates CABF feedback (
<a href="https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fissues%2F168&data=02%7C01%7C%7C88d6160f7cdf4956a68a08d83a29ef0d%7C57919b2e6d5b40b9a34a55bddb02dfee%7C0%7C0%7C637323299089312063&sdata=8uukJQw%2BGmQmUtKetoQ%2Bt2H%2BZQKcGsY5DP4lvXsPA%2Fw%3D&reserved=0" target="_blank">
https://github.com/cabforum/documents/issues/168</a> ).<br>
* Note: This removes Appendix A, and renumbers accordingly<br>
* 3.2.2.4.6's language on sunset/effective date is brought into consistency with our other sections in 3.2.2.4 on sunsets. (
<a href="https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fissues%2F163&data=02%7C01%7C%7C88d6160f7cdf4956a68a08d83a29ef0d%7C57919b2e6d5b40b9a34a55bddb02dfee%7C0%7C0%7C637323299089312063&sdata=pWMMAsBM5qw9aEu0fU6wCdIc84TehXdocedjiQm5ElU%3D&reserved=0" target="_blank">
https://github.com/cabforum/documents/issues/163</a> )<br>
* An incorrect reference to 3.2.5 in Section 3.2.2.5 has been fixed to say Section 3.2.2.5 (
<a href="https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fissues%2F155&data=02%7C01%7C%7C88d6160f7cdf4956a68a08d83a29ef0d%7C57919b2e6d5b40b9a34a55bddb02dfee%7C0%7C0%7C637323299089322018&sdata=9CtvhkLVv400bEgEpxRc71wIAa3huCmeUWkQEDc0eqU%3D&reserved=0" target="_blank">
https://github.com/cabforum/documents/issues/155</a> )<br>
* A typo in Section 7.1.5 is fixed ("compliancy" -> "compliance") ( <a href="https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fissues%2F159&data=02%7C01%7C%7C88d6160f7cdf4956a68a08d83a29ef0d%7C57919b2e6d5b40b9a34a55bddb02dfee%7C0%7C0%7C637323299089322018&sdata=elZ1c6IBTIhzJ3pieu2QfI%2F9E92kemp8i21bKkL6i5Q%3D&reserved=0" target="_blank">
https://github.com/cabforum/documents/issues/159</a> )<br>
* The handling of Certificate Policy OIDs for Intermediates/Roots is restructured, so that it's clear that their presence in a Subordinate/Root makes them subject to the BRs (and EVGs, if appropriate), but their presence in a Subscriber certificate make them
subject to the certificate profile, and in particular, the Subject profile (e.g. DV/OV/IV/EV) (
<a href="https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fissues%2F179&data=02%7C01%7C%7C88d6160f7cdf4956a68a08d83a29ef0d%7C57919b2e6d5b40b9a34a55bddb02dfee%7C0%7C0%7C637323299089322018&sdata=UyCD3RC5hI2o1Qk08xHMpRs8hBZXzmW4RccfvwSDcFo%3D&reserved=0" target="_blank">
https://github.com/cabforum/documents/issues/179</a> )<br>
<br>
## Revocation Clarifications<br>
The following are an attempt to clarify the logical consequences of the various policies surrounding weak and compromised keys (
<a href="https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fissues%2F164&data=02%7C01%7C%7C88d6160f7cdf4956a68a08d83a29ef0d%7C57919b2e6d5b40b9a34a55bddb02dfee%7C0%7C0%7C637323299089331976&sdata=nKdNlkF8QRFZcwSn8uJYwhm5%2FUrrzPea51TbZn%2BoljM%3D&reserved=0" target="_blank">
https://github.com/cabforum/documents/issues/164</a> )<br>
* 4.9.1.1's revocation requirements are updated to express their logical consequences.<br>
* Namely, CAs are required to revoke a certificate within 24 hours if a Private Key has suffered a Key Compromise<br>
* Implicitly, if there is a demonstrated or proven method to easily compute the Private Key, then the private key has suffered a Key Compromise<br>
* Therefore, explicitly specify that keys using such methods also require 24 hours revocation<br>
<br>
However, keys that may have been generated with a flawed method, or there's a method which *exposes* a key to compromise (e.g. a signing oracle, Heartbleed), those remain at 5 days.<br>
<br>
The distinction between these two sets is whether the public key alone is sufficient to compromise the key; if it is, the CA MUST treat it as compromised. However, if there are other factors (e.g. it requires additional state from an RNG, requires interacting
with a service or use of the key), then those are left at 5 days, **unless** someone has already done so, at which point, it's a Key Compromise.<br>
<br>
Section 6.1.1.3 is similarly reworked, to make it clearer that if a certificate will be immediately revoked due to one of the Private Key (flawed, weak, compromised), then the CA MUST NOT issue the certificate. A CA that continually issued certificates to weak
keys, and then revoked them, effectively bypasses revocation by allowing such keys to be used for between 72 hours and 10 days (depending on the lifetime of the CRL/OCSP and response times of the CA). (
<a href="https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fissues%2F171&data=02%7C01%7C%7C88d6160f7cdf4956a68a08d83a29ef0d%7C57919b2e6d5b40b9a34a55bddb02dfee%7C0%7C0%7C637323299089331976&sdata=RDqjBcXQJxq82UnmJtfZx50OnjrbriZ7sEMyILA7R4s%3D&reserved=0" target="_blank">
https://github.com/cabforum/documents/issues/171</a> )<br>
<br>
Section 4.9.1.1 places requirements on when a CA MUST revoke certificates. These obligations are then documented within the CA's CP/CPS, either implicitly through a statement of compliance with the Baseline Requirements or explicitly through enumerating these.
However, at various points, CAs have raised concern that their Subscriber Agreement prevents them from adhering to their CP/CPS and the Baseline Requirements, because their Subscriber Agreement does not permit them to revoke as required by Section 4.9.1.1.
This updates Section 9.6.3 to instead bind the Subscriber Agreement to the CA's CP, CPS, and the Baseline Requirements, as discussed at
<a href="https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fissues%2F172&data=02%7C01%7C%7C88d6160f7cdf4956a68a08d83a29ef0d%7C57919b2e6d5b40b9a34a55bddb02dfee%7C0%7C0%7C637323299089331976&sdata=Y3QEDJr2EEO2z8Ce7xG4W4hoE%2BDNbSWzzZvcYAyVRG4%3D&reserved=0" target="_blank">
https://github.com/cabforum/documents/issues/172</a> .<br>
<br>
The existing provisions within Section 9.6.3 regarding specific uses of the certificate are then folded into this requirement, by allowing the CA's CP/CPS to detail the cases they revoke within Section 4.9.1.1, or, optionally, within their Subscriber Agreement
of Terms of Use. This ensures consistency with the primary objective, of ensuring that the Subscriber acknowledges that the CA MAY revoke the Certificate at any time, for the reasons specified by the CA.<u></u><u></u></p>
</div>
</div>
</div>
</div>
</blockquote></div>