<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 7/9/2022 8:22 μ.μ., Ben Wilson
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CA+1gtabT9+KZRSsQXZC4zPWH6fUJwRiZKmnngx1RLZgqeDYEHQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>Good suggestion. I can re-work a proposal that re-writes BR
sec. 4.9.1.1 to re-group the revocation reasons into the
reason codes that should be used. Is that what you were
thinking? <br>
</div>
</div>
</blockquote>
<br>
Yes. We should also try to keep the current BRs prioritization. The
section begins with the cases where the Certificate(s) need to be
revoked within 24h and then moves to the 5-day revocation cases.<br>
<br>
We could walk this list down making sure that all Mozilla cases are
listed (add the ones that are not) and add the expected
revocationReason for each case. For example:<br>
<p dir="auto"><i>The CA SHALL revoke a Certificate within 24 hours
if one or more of the following occurs:</i></p>
<i>
</i>
<ol dir="auto">
<li><i>The Subscriber requests in writing that the CA revoke the
Certificate (expected CRLReason:</i><i><b>unspecified</b></i><i>);</i></li>
<li><i>The Subscriber notifies the CA that the original
certificate request was not authorized and does not
retroactively grant authorization </i><i> (expected
CRLReason:</i><i><strong>privilegeWithdrawn</strong></i><i>)</i><i>;</i></li>
<li><i>The CA obtains evidence that the Subscriber's Private Key
corresponding to the Public Key in the Certificate suffered a
Key Compromise </i><i>(expected CRLReason:</i><i><b>keyCompromise</b></i><i>)</i><i>;</i></li>
<li><i>The CA is made aware of a demonstrated or proven method
that can easily compute the Subscriber's Private Key based on
the Public Key in the Certificate (such as a Debian weak key,
see </i><i><a href="https://wiki.debian.org/SSLkeys"
rel="nofollow" class="moz-txt-link-freetext">https://wiki.debian.org/SSLkeys</a></i><i>)
</i><i>(expected CRLReason:</i><i><b>keyCompromise</b></i><i>)</i><i>;</i></li>
<li><i>The CA obtains evidence that the validation of domain
authorization or control for any Fully-Qualified Domain Name
or IP address in the Certificate should not be relied upon </i><i>(expected
CRLReason: </i><i><strong>superseded</strong></i><i>)</i><i>.</i></li>
</ol>
and so on.<br>
<br>
Does that work?<br>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:CA+1gtabT9+KZRSsQXZC4zPWH6fUJwRiZKmnngx1RLZgqeDYEHQ@mail.gmail.com">
<div dir="ltr">
<div>Thanks,</div>
<div>Ben<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Sep 7, 2022 at 6:01 AM
Dimitris Zacharopoulos (HARICA) via Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> Hi Ben,<br>
<br>
I believe the proposal, as written, causes confusion in
regards to 4.9.1.1. Some of the reasons described in your
proposal are already mentioned in 4.9.1.1. Perhaps we should
work some more to "unify" the two sections.<br>
<br>
My proposal would be to update 4.9.1.1 and include the
expected CRLReason after each case.<br>
<br>
<br>
Thoughts?<br>
Dimitris.<br>
<br>
<div>On 6/9/2022 8:13 μ.μ., Ben Wilson via Servercert-wg
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>All,</div>
<div>I'm looking for one more endorser.</div>
<div>Thanks,</div>
<div>Ben<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, Jul 29, 2022
at 12:40 PM Ben Wilson via Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>All,</div>
<div><br>
</div>
<div>I have created a proposal in Github to
incorporate Mozilla's CRL Revocation Reason Code
requirements into the Baseline Requirements. <br>
</div>
<div><br>
</div>
<div>See <a
href="https://github.com/cabforum/servercert/issues/377"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/cabforum/servercert/issues/377</a></div>
<div><br>
</div>
<div><a
href="https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5</a></div>
<div><br>
</div>
<div>I'm looking for comments, suggestions, and two
endorsers.</div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>Ben<br>
</div>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
rel="noreferrer" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Servercert-wg mailing list
<a href="mailto:Servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>