<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Good point.<br>
<br>
s/<i>expected/shall use/<br>
<br>
<br>
</i><br>
<div class="moz-cite-prefix">On 8/9/2022 8:26 μ.μ., Tim Hollebeek
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:SJ0PR14MB548931242D03E1092F1BDE9183409@SJ0PR14MB5489.namprd14.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">I would prefer standard 2119 language
instead of an “expectation”. There are no documented rules
for what it means for a CRLReason to be expected to be a
certain value.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-Tim<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in
0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Servercert-wg
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg-bounces@cabforum.org"><servercert-wg-bounces@cabforum.org></a>
<b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA) via
Servercert-wg<br>
<b>Sent:</b> Thursday, September 8, 2022 3:21 AM<br>
<b>To:</b> Ben Wilson <a class="moz-txt-link-rfc2396E" href="mailto:bwilson@mozilla.com"><bwilson@mozilla.com></a>; CA/B
Forum Server Certificate WG Public Discussion List
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a><br>
<b>Subject:</b> Re: [Servercert-wg] Proposal to
Incorporate Mozilla's CRL Revocation Reason Code
Requirements into the BRs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 7/9/2022 8:22 μ.μ., Ben Wilson
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">Good suggestion. I can re-work a
proposal that re-writes BR sec. 4.9.1.1 to re-group
the revocation reasons into the reason codes that
should be used. Is that what you were thinking?
<o:p></o:p></p>
</div>
</div>
</blockquote>
<p class="MsoNormal"><br>
Yes. We should also try to keep the current BRs
prioritization. The section begins with the cases where the
Certificate(s) need to be revoked within 24h and then moves
to the 5-day revocation cases.<br>
<br>
We could walk this list down making sure that all Mozilla
cases are listed (add the ones that are not) and add the
expected revocationReason for each case. For example:<o:p></o:p></p>
<p><i>The CA SHALL revoke a Certificate within 24 hours if one
or more of the following occurs:</i><o:p></o:p></p>
<ol type="1" start="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo1">
<i>The Subscriber requests in writing that the CA revoke
the Certificate (expected CRLReason:<b>unspecified</b>);</i><o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo1">
<i>The Subscriber notifies the CA that the original
certificate request was not authorized and does not
retroactively grant authorization (expected CRLReason:<strong><span
style="font-family:"Calibri",sans-serif">privilegeWithdrawn</span></strong>);</i><o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo1">
<i>The CA obtains evidence that the Subscriber's Private
Key corresponding to the Public Key in the Certificate
suffered a Key Compromise (expected CRLReason:<b>keyCompromise</b>);</i><o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo1">
<i>The CA is made aware of a demonstrated or proven method
that can easily compute the Subscriber's Private Key
based on the Public Key in the Certificate (such as a
Debian weak key, see
<a href="https://wiki.debian.org/SSLkeys"
moz-do-not-send="true" class="moz-txt-link-freetext">https://wiki.debian.org/SSLkeys</a>)
(expected CRLReason:<b>keyCompromise</b>);</i><o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo1">
<i>The CA obtains evidence that the validation of domain
authorization or control for any Fully-Qualified Domain
Name or IP address in the Certificate should not be
relied upon (expected CRLReason:
<strong><span
style="font-family:"Calibri",sans-serif">superseded</span></strong>).</i><o:p></o:p></li>
</ol>
<p class="MsoNormal">and so on.<br>
<br>
Does that work?<br>
<br>
Dimitris.<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Ben<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Wed, Sep 7, 2022 at 6:01 AM
Dimitris Zacharopoulos (HARICA) via Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi
Ben,<br>
<br>
I believe the proposal, as written, causes confusion
in regards to 4.9.1.1. Some of the reasons described
in your proposal are already mentioned in 4.9.1.1.
Perhaps we should work some more to "unify" the two
sections.<br>
<br>
My proposal would be to update 4.9.1.1 and include
the expected CRLReason after each case.<br>
<br>
<br>
Thoughts?<br>
Dimitris.<o:p></o:p></p>
<div>
<p class="MsoNormal">On 6/9/2022 8:13 μ.μ., Ben
Wilson via Servercert-wg wrote:<o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">All,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I'm looking for one more
endorser.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Ben<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Fri, Jul 29, 2022 at
12:40 PM Ben Wilson via Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">All,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I have created a
proposal in Github to incorporate
Mozilla's CRL Revocation Reason Code
requirements into the Baseline
Requirements.
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">See <a
href="https://github.com/cabforum/servercert/issues/377"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">
https://github.com/cabforum/servercert/issues/377</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><a
href="https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I'm looking for
comments, suggestions, and two endorsers.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Ben<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Servercert-wg mailing list<o:p></o:p></pre>
<pre><a href="mailto:Servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></p>
</blockquote>
</div>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</blockquote>
<br>
</body>
</html>