<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 19/11/2021 10:57 μ.μ., Tim Hollebeek
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM8PR14MB5237EFC34C040408F27DC3F9839C9@DM8PR14MB5237.namprd14.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">So, that’s actually a legitimate position,
and it was Corey’s original position before we added the
effective date. One of the reasons we added an effective date
was to allow CAs to have time to make adjustments in the event
that they have problems with some of the other periods that
are affected. As a practical matter, though, if you don’t
measure 24 hours or five days to revoke a certificate down to
the second, you’re already in trouble, as plenty of incidents
have already been filed for missing revocation deadlines by
fairly small time periods. So I’d advise CAs to watch those
particular ones pretty carefully.</p>
</div>
</blockquote>
<br>
I am not entirely sure I understand how enforcing "1-second
accuracy" would address the "plenty of incidents" related to
revocation deadlines. These incidents missed deadlines of entire
days, not seconds. This ballot won't help with that.<br>
<br>
<blockquote type="cite"
cite="mid:DM8PR14MB5237EFC34C040408F27DC3F9839C9@DM8PR14MB5237.namprd14.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We find the consistency in having one set
of date / time rules for the entire BRs to be pretty
compelling. I think different sets of rules for different
things is more likely to cause compliance problems instead of
solving them.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In fact, one can argue that the reason this
ballot is necessary is because a previous effort focused too
closely on OCSP validity periods without doing a more
wholistic analysis of the problem and the solution(s). If
there are actually time periods where this level of accuracy
causes problems instead of solving them, I would love to know
what those are so we can discuss and fix them. That would be
a very productive use of this discussion period.</p>
</div>
</blockquote>
<br>
The 1-second accuracy started when calculating the certificate
validity time. We then expanded to OCSP and now on CRLs. A wholistic
analysis caused by a ballot that changes this requirement for all
time intervals, is a very time consuming process which will take
time from compliance and engineering teams for no good security
benefit. Instead, focusing just on the CRL issuance (notBefore -
nextUpdate fields) is a very well-defined engineering problem for CA
teams to resolve in a timely manner.<br>
<br>
IMHO we have other more important ballots to pass (delegation of
Domain Validation via CNAME, Certificate Profiles) that will improve
the security of the ecosystem and we should focus our efforts, and
engineering capacity, to those areas more.<br>
<br>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:DM8PR14MB5237EFC34C040408F27DC3F9839C9@DM8PR14MB5237.namprd14.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal">-Tim<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in
0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Dimitris Zacharopoulos
(HARICA) <a class="moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a> <br>
<b>Sent:</b> Friday, November 19, 2021 2:41 PM<br>
<b>To:</b> Tim Hollebeek
<a class="moz-txt-link-rfc2396E" href="mailto:tim.hollebeek@digicert.com"><tim.hollebeek@digicert.com></a>; CA/B Forum Server
Certificate WG Public Discussion List
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a><br>
<b>Subject:</b> Re: [Servercert-wg] Discussion Period
Begins: SC-52: Specify CRL Validity Intervals in Seconds<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Tim,<br>
<br>
I thought there was rough consensus NOT to extend the "1 sec
accuracy" to time duration requirements other than the CRL
and OCSP.<br>
<br>
For example, measuring 24 hours or 5 days to revoke a
certificate doesn't need the accuracy of a second.<br>
<br>
It's not easy to programmatically measure this level of
accuracy for every CA process. When the requirements
identify this level of accuracy (e.g. RFC 5280), it makes
sense to programmatically enforce them, otherwise it is too
painful to implement for every time measurement and produces
very little -if any- security improvements to the ecosystem.<br>
<br>
HARICA does not support the current proposal to extend the
accuracy to the entirety of the BRs (and by extension to
NetSec and EV Guidelines).<br>
<br>
<br>
Dimitris.<o:p></o:p></p>
<div>
<p class="MsoNormal">On 18/11/2021 5:43 μ.μ., Tim Hollebeek
via Servercert-wg wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Ballot SC-52: Specify CRL Validity
Intervals in Seconds<o:p></o:p></p>
<p class="MsoNormal">Purpose of Ballot: Similar to Ballot
SC-31 which modified the specification of<o:p></o:p></p>
<p class="MsoNormal">OCSP validity periods to be in seconds,
this ballot modifies the specification<o:p></o:p></p>
<p class="MsoNormal">of CRL validity periods to be in
seconds to avoid confusion about exactly which<o:p></o:p></p>
<p class="MsoNormal">periods are valid and which are not.
The ballot also specifies that other time <o:p></o:p></p>
<p class="MsoNormal">periods should be handled the same way,
which has broader impacts throughout <o:p></o:p></p>
<p class="MsoNormal">the document.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The following motion has been proposed
by Tim Hollebeek of DigiCert and endorsed <o:p></o:p></p>
<p class="MsoNormal">by Trevoli Ponds-White of Amazon and
Kati Davids of GoDaddy.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">---MOTION BEGINS---<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">This ballot modifies the “Baseline
Requirements for the Issuance and Management <o:p></o:p></p>
<p class="MsoNormal">of Publicly-Trusted Certificates”
(“Baseline Requirements”), based on Version 1.8.0:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">MODIFY the Baseline Requirements as
specified in the following Redline:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><a
href="https://github.com/cabforum/servercert/compare/cda0f92ee70121fd5d692685b97ebb6669c74fb7...0c265a673b10c460264a721214b902484c0d1c1f"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/servercert/compare/cda0f92ee70121fd5d692685b97ebb6669c74fb7...0c265a673b10c460264a721214b902484c0d1c1f</a><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">---MOTION ENDS---<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">This ballot proposes a Final
Maintenance Guideline. <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The procedure for approval of this
ballot is as follows: <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Discussion (7+ days)<o:p></o:p></p>
<p class="MsoNormal">Start Time: November 18, 2021 10:30am
Eastern<o:p></o:p></p>
<p class="MsoNormal">End Time: No earlier than November 25,
2021 10:30 am Eastern<o:p></o:p></p>
<p class="MsoNormal">Vote for approval (7 days)<o:p></o:p></p>
<p class="MsoNormal">Start Time: TBD<o:p></o:p></p>
<p class="MsoNormal">End Time: TBD<o:p></o:p></p>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Servercert-wg mailing list<o:p></o:p></pre>
<pre><a href="mailto:Servercert-wg@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</blockquote>
<br>
</body>
</html>