<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Happy New Year everyone :-)<br>
<br>
<br>
<div class="moz-cite-prefix">On 16/12/2021 12:10 π.μ., Aaron Gable
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAEmnErdX4qGAh-c6Rkd9dhc0ot39OoWq8BD8NSAPj0hukwx9zA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">I'd love a little more information on this
difficulty.<br>
<br>
<div>The standard crontab syntax has never supported "perform
this task every X months" even for X <= 12; it has only
ever supported "perform this task in months X,Y, and Z", where
those are integers representing January through December. You
can say something <i>that looks like</i> "do this every 12
months", but that actually means "do this in months <i>divisible
by 12</i>", i.e. every December.</div>
</div>
</blockquote>
<br>
<p>It's complicated, it depends if the period is divisible by 2, 3,
4, 6 or not.<br>
</p>
<p>You can have a crontab entry of "<font face="monospace">0 0 1 2/3
* task</font>" to "do this task <b>every</b> 3 months starting
in February", i.e. at months 2, 5, 8, 11, 2,...<br>
</p>
but if you have a crontab entry of "<font face="monospace">0 0 1 2/5
* task</font>", it will mean "do this task at months 2, 7, 12, 2,
...".<br>
<br>
<blockquote type="cite"
cite="mid:CAEmnErdX4qGAh-c6Rkd9dhc0ot39OoWq8BD8NSAPj0hukwx9zA@mail.gmail.com">
<div dir="ltr">
<div><br>
</div>
<div>A task to update CRLs which is scheduled to occur every Jan
1st abides by the new requirements (once every 367 days) just
as easily as it abided by the old requirements (once every 12
months).<br>
</div>
</div>
</blockquote>
<br>
If you need to perform an offline ceremony every 1st of November,
then with the 367 days it is fairly easy to miss a deadline because
a key person might be on sick leave, it will be a non-working day
(e.g. Sunday), etc. This means that you would be forced to drift and
set the ceremony every 11 months for safety (above and beyond).<br>
<br>
When a requirement mentions that a DR test must be performed
annually and the last test was performed in December 2020 after
getting an alert Dec 1, 2020, you still want the alert to be sent
Dec 1 2021 because the company knows that "December is the DR-Test
month". Sending the alert every "11 months" for safety, will shift
annually scheduled tasks to other periods of time that may not be
convenient for the CA because, for example, November has other
scheduled priorities. This continuous "drift" probably doesn't make
too much sense for everything. Similarly, when the NSRs ask for
tasks to be performed every 31 days it means you can schedule it on
the first day of each month without any issues. This "drifting"
issue will produce more problems.<br>
<br>
The SCWG documents have survived the repetitive events all these
years with only one challenge for the NSR's periodic events. We
addressed that in <a
href="https://cabforum.org/2017/08/31/ballot-210-misc-changes-network-certificate-system-security-requirements/"
moz-do-not-send="true">ballot 210</a>. I recall the discussions
being around the "30 days" being unreasonably strict, causing task
drifts for no good reason. CAs needed the flexibility for scheduling
those tasks and Browsers were ok with that flexibility since there
was no significant security benefit for requiring something every 30
days instead of "every month".<br>
<br>
It would be interesting and very useful if the proposers of the
ballot could provide an example of other industries that have
adopted this drifting practice, for example performing "annual"
tasks every "11 months".<br>
<br>
A solution to this problem would be for the ballot to allow an
additional 10% for every "daily", "monthly", "yearly". In the worst
case, this would allow a yearly event to be scheduled for November
1st and have a full month leeway for possible set-backs. Would
people support this change?<br>
<br>
We also noticed that the ballot has 2 definitions of "hour":
<ol>
<li><span class="blob-code-inner blob-code-marker js-code-nav-pass
" data-code-marker="+">"a difference of 3,600 seconds shall be
equal to one hour" (in section 1.6.4</span><span
class="blob-code-inner blob-code-marker js-code-nav-pass "
data-code-marker="+"><span class="x x-first x-last"></span></span>).</li>
<li><span class="blob-code-inner blob-code-marker js-code-nav-pass
" data-code-marker="+"><span class="x x-first x-last">"an hour
is measured as </span>3,600 seconds" (in section 4.9.10).</span></li>
</ol>
<p>and 4 definitions of "day":</p>
<ol>
<li>"<span class="blob-code-inner blob-code-marker
js-code-nav-pass " data-code-marker="+">a difference of 86,400
seconds shall be equal to one day, ignoring leap seconds" (in
section 1.6.4). </span><span class="blob-code-inner
blob-code-marker js-code-nav-pass " data-code-marker="+"><span
class="blob-code-inner blob-code-marker js-code-nav-pass "
data-code-marker="+"><span class="blob-code-inner
blob-code-marker js-code-nav-pass " data-code-marker="+"></span></span></span></li>
<li>"<span class="blob-code-inner blob-code-marker
js-code-nav-pass " data-code-marker="+"><span class="x x-first
x-last">a day is measured as </span>86,400 seconds,
ignoring leap<span class="x x-first x-last"> </span>seconds."
(in section </span><span class="blob-code-inner
blob-code-marker js-code-nav-pass " data-code-marker="+"><span
class="pl-mh"><span class="pl-mh"></span>4.9.10).</span> </span><span
class="blob-code-inner blob-code-marker js-code-nav-pass "
data-code-marker="+"><span class="blob-code-inner
blob-code-marker js-code-nav-pass " data-code-marker="+"><br>
</span></span></li>
<li><span class="blob-code-inner blob-code-marker js-code-nav-pass
" data-code-marker="+">"</span><span class="blob-code-inner
blob-code-marker js-code-nav-pass " data-code-marker="+"><span
class="blob-code-inner blob-code-marker js-code-nav-pass "
data-code-marker="+">a day is measured as 86,400 seconds."
(in section </span></span><span class="blob-code-inner
blob-code-marker js-code-nav-pass " data-code-marker="+"><span
class="blob-code-inner blob-code-marker js-code-nav-pass "
data-code-marker="+"><span class="pl-mh">6.3.2).</span></span></span></li>
<li><span class="blob-code-inner blob-code-marker js-code-nav-pass
" data-code-marker="+"><span class="blob-code-inner
blob-code-marker js-code-nav-pass " data-code-marker="+"><span
class="pl-mh">"</span></span></span><span
class="blob-code-inner blob-code-marker js-code-nav-pass "
data-code-marker="+"><span class="blob-code-inner
blob-code-marker js-code-nav-pass " data-code-marker="+"><span
class="pl-mh"><span class="blob-code-inner
blob-code-marker js-code-nav-pass " data-code-marker="+">a
day is measured as 86,400 seconds, ignoring leap
seconds." (in section 6.3.2).</span></span></span></span></li>
</ol>
<p><span class="blob-code-inner blob-code-marker js-code-nav-pass "
data-code-marker="+"> </span><span class="blob-code-inner
blob-code-marker js-code-nav-pass " data-code-marker="+"><span
class="blob-code-inner blob-code-marker js-code-nav-pass "
data-code-marker="+">The "</span><span class="blob-code-inner
blob-code-marker js-code-nav-pass " data-code-marker="+"><span
class="blob-code-inner blob-code-marker js-code-nav-pass "
data-code-marker="+">ignoring leap<span class="x x-first
x-last"> </span>seconds" is not necessary, since the
definition uses an exact number of seconds.</span></span></span>
Repeating identical or rephrased definitions is unnecessary and
would increase the risk of misinterpretation.</p>
<p><span class="blob-code-inner blob-code-marker js-code-nav-pass "
data-code-marker="+"><span class="blob-code-inner
blob-code-marker js-code-nav-pass " data-code-marker="+"><span
class="blob-code-inner blob-code-marker js-code-nav-pass "
data-code-marker="+">Using the ballot definition of day </span></span></span><span
class="blob-code-inner blob-code-marker js-code-nav-pass "
data-code-marker="+"><span class="blob-code-inner
blob-code-marker js-code-nav-pass " data-code-marker="+"><span
class="blob-code-inner blob-code-marker js-code-nav-pass "
data-code-marker="+">as a "<a
href="https://en.wikipedia.org/wiki/Non-SI_units_mentioned_in_the_SI">unit
of measure</a>" (86400 SI seconds), "</span></span></span><span
class="blob-code-inner blob-code-marker js-code-nav-pass "
data-code-marker="+"><span class="blob-code-inner
blob-code-marker js-code-nav-pass " data-code-marker="+"><span
class="blob-code-inner blob-code-marker js-code-nav-pass "
data-code-marker="+">performing a task twice, 1 day and 1
second apart", i.e. 86401 seconds apart, <b>is not</b>
"daily". </span></span></span></p>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:CAEmnErdX4qGAh-c6Rkd9dhc0ot39OoWq8BD8NSAPj0hukwx9zA@mail.gmail.com">
<div dir="ltr">
<div><br>
</div>
<div>Just because a requirement is specified to the precision of
seconds does not mean that the systems which abide by that
requirement need to be specified at the same precision -- they
simply need to abide by it. A process which occurs every 11
months will trivially abide by a 367-day requirement, no
matter what level of precision those months are measured to.</div>
<div><br>
</div>
<div>Aaron</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Dec 15, 2021 at 5:06
AM Wendy Brown - QT3LB-C via Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">although not a voting member - I agree with
Dimitiris <br clear="all">
<div>
<div dir="ltr">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<p><span
style="font-family:"Segoe
Script",sans-serif">Wendy</span></p>
<p><span style="font-size:12.8px">Wendy
Brown<br>
</span><span
style="font-size:12.8px">Supporting
GSA FPKI<br>
</span><span
style="font-size:12.8px">Protiviti
Government Services</span></p>
<p> 703-965-2990 (cell)</p>
<p><a
href="mailto:wendy.brown@gsa.gov"
style="font-size:12.8px"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">wendy.brown@gsa.gov</a><br>
<a
href="mailto:wendy.brown@protiviti.com"
style="font-family:Calibri,sans-serif" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">wendy.brown@protiviti.com</a></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Dec 15, 2021 at
12:51 AM Dimitris Zacharopoulos (HARICA) via Servercert-wg
<<a href="mailto:servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div> <br>
HARICA disagrees with adding the following text to the
Baseline Requirements:<br>
<br>
<i><span><span>"**Effective 2022-06-01:**</span> For
purposes of computing differences, a difference of
3,600 seconds shall be equal to one hour, and a
difference of 86,400 seconds shall be equal to one
day, ignoring leap seconds. Any amount of time
greater than this, including fractional seconds,
shall represent an additional unit of measure, such
as an additional hour or additional day."</span></i><br>
<br>
My team has advised me that when using the standard
(vixie) cron, an admin cannot state that an action must
take place:<br>
<ul>
<li>every x minutes, for x>60</li>
<li>every x hours, for x>24</li>
<li>every x days, for x>1</li>
<li>every x months, for x>12</li>
</ul>
An admin would need to create custom scripts to overcome
these problems, thus creating a possibility of human
error. It is also not possible to specify seconds. This
is just one of the tools that can be used by admins.
Windows has the same limitations in the "tasks"
scheduling tool.<br>
<br>
This is a very simple indication that such a change in
the requirements will require significant analysis and
implementation effort by all CAs without good
justification.<br>
<br>
HARICA still doesn't see a clear benefit from
generalizing the expectation that all time intervals in
the BRs, EVGs, NetSec should be evaluated at the level
of 1 second which is an "expensive" compliance
obligation and should be applied/enforced in areas where
it is really needed. The necessity may come from
interoperability risks as we have seen for the validity
of certificates and OCSP/CRL. If other areas seem
appropriate for this level of accuracy, we should
identify, justify and add to the requirements instead of
making a general requirement for such an expensive
operation.<br>
<br>
<br>
Dimitris.<br>
<br>
<div>On 2/12/2021 5:20 μ.μ., Tim Hollebeek via
Servercert-wg wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal">Ballot SC-52 version 2: Specify
CRL Validity Intervals in Seconds</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Purpose of Ballot: Similar to
Ballot SC-31 which modified the specification of</p>
<p class="MsoNormal">OCSP validity periods to be in
seconds, this ballot modifies the specification</p>
<p class="MsoNormal">of CRL validity periods to be
in seconds to avoid confusion about exactly which</p>
<p class="MsoNormal">periods are valid and which are
not. The ballot also specifies that other time </p>
<p class="MsoNormal">periods should be handled the
same way, which has broader impacts throughout </p>
<p class="MsoNormal">the document.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">These changes should not be
interpreted as implying that missing a deadline by</p>
<p class="MsoNormal">a few seconds is any more or
less important than it previously was. The</p>
<p class="MsoNormal">changes are merely intended to
provide additional clarity and precision about</p>
<p class="MsoNormal">exactly where the deadlines
are.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The following motion has been
proposed by Tim Hollebeek of DigiCert and endorsed
</p>
<p class="MsoNormal">by Trevoli Ponds-White of
Amazon and Kati Davids of GoDaddy.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">---MOTION BEGINS---</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">This ballot modifies the
“Baseline Requirements for the Issuance and
Management </p>
<p class="MsoNormal">of Publicly-Trusted
Certificates” (“Baseline Requirements”), based on
Version 1.8.0:</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">MODIFY the Baseline
Requirements as specified in the following
Redline:</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><a
href="https://github.com/cabforum/servercert/compare/cda0f92ee70121fd5d692685b97ebb6669c74fb7...2b9cf93af71233095f370cdc1d1b587166da4b07"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/cabforum/servercert/compare/cda0f92ee70121fd5d692685b97ebb6669c74fb7...2b9cf93af71233095f370cdc1d1b587166da4b07</a></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">---MOTION ENDS---</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">This ballot proposes a Final
Maintenance Guideline. </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The procedure for approval of
this ballot is as follows: </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Discussion (7+ days)</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Start Time: December 2, 2021
10:30 am Eastern</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">End Time: No earlier than
December 9, 2021 10:30 am Eastern</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Vote for approval (7 days)</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Start Time: TBD</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">End Time: TBD</p>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Servercert-wg mailing list
<a href="mailto:Servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>