<div dir="ltr"><div>For review - here is another proposal that takes BR section 4.9.1.1 and puts the 24-hour and 5-day revocation times into subsections that match the CRL reason codes.  <br></div><div><br></div><div><a href="https://github.com/BenWilson-Mozilla/servercert/commit/b185a28fcc20d5853747e4506103823e3dc7c282">https://github.com/BenWilson-Mozilla/servercert/commit/b185a28fcc20d5853747e4506103823e3dc7c282</a></div><div><br></div><div>Ben<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 8, 2022 at 12:05 PM Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr">dzacharo@harica.gr</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
  
    
  
  <div>
    Good point.<br>
    <br>
    s/<i>expected/shall use/<br>
      <br>
      <br>
    </i><br>
    <div>On 8/9/2022 8:26 μ.μ., Tim Hollebeek
      wrote:<br>
    </div>
    <blockquote type="cite">
      
      
      
      <div>
        <p class="MsoNormal">I would prefer standard 2119 language
          instead of an “expectation”.  There are no documented rules
          for what it means for a CRLReason to be expected to be a
          certain value.<u></u><u></u></p>
        <p class="MsoNormal"><u></u> <u></u></p>
        <p class="MsoNormal">-Tim<u></u><u></u></p>
        <p class="MsoNormal"><u></u> <u></u></p>
        <div style="border-color:currentcolor currentcolor currentcolor blue;border-style:none none none solid;border-width:medium medium medium 1.5pt;padding:0in 0in 0in 4pt">
          <div>
            <div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0in 0in">
              <p class="MsoNormal"><b>From:</b> Servercert-wg
                <a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank"><servercert-wg-bounces@cabforum.org></a>
                <b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA) via
                Servercert-wg<br>
                <b>Sent:</b> Thursday, September 8, 2022 3:21 AM<br>
                <b>To:</b> Ben Wilson <a href="mailto:bwilson@mozilla.com" target="_blank"><bwilson@mozilla.com></a>; CA/B
                Forum Server Certificate WG Public Discussion List
                <a href="mailto:servercert-wg@cabforum.org" target="_blank"><servercert-wg@cabforum.org></a><br>
                <b>Subject:</b> Re: [Servercert-wg] Proposal to
                Incorporate Mozilla's CRL Revocation Reason Code
                Requirements into the BRs<u></u><u></u></p>
            </div>
          </div>
          <p class="MsoNormal"><u></u> <u></u></p>
          <p class="MsoNormal" style="margin-bottom:12pt"><u></u> <u></u></p>
          <div>
            <p class="MsoNormal">On 7/9/2022 8:22 μ.μ., Ben Wilson
              wrote:<u></u><u></u></p>
          </div>
          <blockquote style="margin-top:5pt;margin-bottom:5pt">
            <div>
              <div>
                <p class="MsoNormal">Good suggestion. I can re-work a
                  proposal that re-writes BR sec. 4.9.1.1 to re-group
                  the revocation reasons into the reason codes that
                  should be used. Is that what you were thinking?
                  <u></u><u></u></p>
              </div>
            </div>
          </blockquote>
          <p class="MsoNormal"><br>
            Yes. We should also try to keep the current BRs
            prioritization. The section begins with the cases where the
            Certificate(s) need to be revoked within 24h and then moves
            to the 5-day revocation cases.<br>
            <br>
            We could walk this list down making sure that all Mozilla
            cases are listed (add the ones that are not) and add the
            expected revocationReason for each case. For example:<u></u><u></u></p>
          <p><i>The CA SHALL revoke a Certificate within 24 hours if one
              or more of the following occurs:</i><u></u><u></u></p>
          <ol type="1" start="1">
            <li class="MsoNormal">
              <i>The Subscriber requests in writing that the CA revoke
                the Certificate (expected CRLReason:<b>unspecified</b>);</i><u></u><u></u></li>
            <li class="MsoNormal">
              <i>The Subscriber notifies the CA that the original
                certificate request was not authorized and does not
                retroactively grant authorization (expected CRLReason:<strong><span style="font-family:"Calibri",sans-serif">privilegeWithdrawn</span></strong>);</i><u></u><u></u></li>
            <li class="MsoNormal">
              <i>The CA obtains evidence that the Subscriber's Private
                Key corresponding to the Public Key in the Certificate
                suffered a Key Compromise (expected CRLReason:<b>keyCompromise</b>);</i><u></u><u></u></li>
            <li class="MsoNormal">
              <i>The CA is made aware of a demonstrated or proven method
                that can easily compute the Subscriber's Private Key
                based on the Public Key in the Certificate (such as a
                Debian weak key, see
                <a href="https://wiki.debian.org/SSLkeys" target="_blank">https://wiki.debian.org/SSLkeys</a>)
                (expected CRLReason:<b>keyCompromise</b>);</i><u></u><u></u></li>
            <li class="MsoNormal">
              <i>The CA obtains evidence that the validation of domain
                authorization or control for any Fully-Qualified Domain
                Name or IP address in the Certificate should not be
                relied upon (expected CRLReason:
                <strong><span style="font-family:"Calibri",sans-serif">superseded</span></strong>).</i><u></u><u></u></li>
          </ol>
          <p class="MsoNormal">and so on.<br>
            <br>
            Does that work?<br>
            <br>
            Dimitris.<br>
            <br>
            <br>
            <u></u><u></u></p>
          <blockquote style="margin-top:5pt;margin-bottom:5pt">
            <div>
              <div>
                <p class="MsoNormal">Thanks,<u></u><u></u></p>
              </div>
              <div>
                <p class="MsoNormal">Ben<u></u><u></u></p>
              </div>
            </div>
            <p class="MsoNormal"><u></u> <u></u></p>
            <div>
              <div>
                <p class="MsoNormal">On Wed, Sep 7, 2022 at 6:01 AM
                  Dimitris Zacharopoulos (HARICA) via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
                  wrote:<u></u><u></u></p>
              </div>
              <blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in">
                <div>
                  <p class="MsoNormal" style="margin-bottom:12pt">Hi
                    Ben,<br>
                    <br>
                    I believe the proposal, as written, causes confusion
                    in regards to 4.9.1.1. Some of the reasons described
                    in your proposal are already mentioned in 4.9.1.1.
                    Perhaps we should work some more to "unify" the two
                    sections.<br>
                    <br>
                    My proposal would be to update 4.9.1.1 and include
                    the expected CRLReason after each case.<br>
                    <br>
                    <br>
                    Thoughts?<br>
                    Dimitris.<u></u><u></u></p>
                  <div>
                    <p class="MsoNormal">On 6/9/2022 8:13 μ.μ., Ben
                      Wilson via Servercert-wg wrote:<u></u><u></u></p>
                  </div>
                  <blockquote style="margin-top:5pt;margin-bottom:5pt">
                    <div>
                      <div>
                        <p class="MsoNormal">All,<u></u><u></u></p>
                      </div>
                      <div>
                        <p class="MsoNormal">I'm looking for one more
                          endorser.<u></u><u></u></p>
                      </div>
                      <div>
                        <p class="MsoNormal">Thanks,<u></u><u></u></p>
                      </div>
                      <div>
                        <p class="MsoNormal">Ben<u></u><u></u></p>
                      </div>
                    </div>
                    <p class="MsoNormal"><u></u> <u></u></p>
                    <div>
                      <div>
                        <p class="MsoNormal">On Fri, Jul 29, 2022 at
                          12:40 PM Ben Wilson via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
                          wrote:<u></u><u></u></p>
                      </div>
                      <blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in">
                        <div>
                          <div>
                            <p class="MsoNormal">All,<u></u><u></u></p>
                          </div>
                          <div>
                            <p class="MsoNormal"><u></u> <u></u></p>
                          </div>
                          <div>
                            <p class="MsoNormal">I have created a
                              proposal in Github to incorporate
                              Mozilla's CRL Revocation Reason Code
                              requirements into the Baseline
                              Requirements. 
                              <u></u><u></u></p>
                          </div>
                          <div>
                            <p class="MsoNormal"><u></u> <u></u></p>
                          </div>
                          <div>
                            <p class="MsoNormal">See <a href="https://github.com/cabforum/servercert/issues/377" target="_blank">
https://github.com/cabforum/servercert/issues/377</a><u></u><u></u></p>
                          </div>
                          <div>
                            <p class="MsoNormal"><u></u> <u></u></p>
                          </div>
                          <div>
                            <p class="MsoNormal"><a href="https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5" target="_blank">https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5</a><u></u><u></u></p>
                          </div>
                          <div>
                            <p class="MsoNormal"><u></u> <u></u></p>
                          </div>
                          <div>
                            <p class="MsoNormal">I'm looking for
                              comments, suggestions, and two endorsers.<u></u><u></u></p>
                          </div>
                          <div>
                            <p class="MsoNormal"><u></u> <u></u></p>
                          </div>
                          <div>
                            <p class="MsoNormal">Thanks,<u></u><u></u></p>
                          </div>
                          <div>
                            <p class="MsoNormal"><u></u> <u></u></p>
                          </div>
                          <div>
                            <p class="MsoNormal">Ben<u></u><u></u></p>
                          </div>
                        </div>
                        <p class="MsoNormal">_______________________________________________<br>
                          Servercert-wg mailing list<br>
                          <a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
                          <a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><u></u><u></u></p>
                      </blockquote>
                    </div>
                    <p class="MsoNormal"><br>
                      <br>
                      <u></u><u></u></p>
                    <pre>_______________________________________________<u></u><u></u></pre>
                    <pre>Servercert-wg mailing list<u></u><u></u></pre>
                    <pre><a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><u></u><u></u></pre>
                    <pre><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><u></u><u></u></pre>
                  </blockquote>
                  <p class="MsoNormal"><u></u> <u></u></p>
                </div>
                <p class="MsoNormal">_______________________________________________<br>
                  Servercert-wg mailing list<br>
                  <a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
                  <a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><u></u><u></u></p>
              </blockquote>
            </div>
          </blockquote>
          <p class="MsoNormal"><u></u> <u></u></p>
        </div>
      </div>
    </blockquote>
    <br>
  </div>

</blockquote></div>