<div dir="ltr"><div>For review - here is another proposal that takes BR section 4.9.1.1 and puts the 24-hour and 5-day revocation times into subsections that match the CRL reason codes. <br></div><div><br></div><div><a href="https://github.com/BenWilson-Mozilla/servercert/commit/b185a28fcc20d5853747e4506103823e3dc7c282">https://github.com/BenWilson-Mozilla/servercert/commit/b185a28fcc20d5853747e4506103823e3dc7c282</a></div><div><br></div><div>Ben<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 8, 2022 at 12:05 PM Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr">dzacharo@harica.gr</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
Good point.<br>
<br>
s/<i>expected/shall use/<br>
<br>
<br>
</i><br>
<div>On 8/9/2022 8:26 μ.μ., Tim Hollebeek
wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal">I would prefer standard 2119 language
instead of an “expectation”. There are no documented rules
for what it means for a CRLReason to be expected to be a
certain value.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">-Tim<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div style="border-color:currentcolor currentcolor currentcolor blue;border-style:none none none solid;border-width:medium medium medium 1.5pt;padding:0in 0in 0in 4pt">
<div>
<div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0in 0in">
<p class="MsoNormal"><b>From:</b> Servercert-wg
<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank"><servercert-wg-bounces@cabforum.org></a>
<b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA) via
Servercert-wg<br>
<b>Sent:</b> Thursday, September 8, 2022 3:21 AM<br>
<b>To:</b> Ben Wilson <a href="mailto:bwilson@mozilla.com" target="_blank"><bwilson@mozilla.com></a>; CA/B
Forum Server Certificate WG Public Discussion List
<a href="mailto:servercert-wg@cabforum.org" target="_blank"><servercert-wg@cabforum.org></a><br>
<b>Subject:</b> Re: [Servercert-wg] Proposal to
Incorporate Mozilla's CRL Revocation Reason Code
Requirements into the BRs<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal" style="margin-bottom:12pt"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On 7/9/2022 8:22 μ.μ., Ben Wilson
wrote:<u></u><u></u></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal">Good suggestion. I can re-work a
proposal that re-writes BR sec. 4.9.1.1 to re-group
the revocation reasons into the reason codes that
should be used. Is that what you were thinking?
<u></u><u></u></p>
</div>
</div>
</blockquote>
<p class="MsoNormal"><br>
Yes. We should also try to keep the current BRs
prioritization. The section begins with the cases where the
Certificate(s) need to be revoked within 24h and then moves
to the 5-day revocation cases.<br>
<br>
We could walk this list down making sure that all Mozilla
cases are listed (add the ones that are not) and add the
expected revocationReason for each case. For example:<u></u><u></u></p>
<p><i>The CA SHALL revoke a Certificate within 24 hours if one
or more of the following occurs:</i><u></u><u></u></p>
<ol type="1" start="1">
<li class="MsoNormal">
<i>The Subscriber requests in writing that the CA revoke
the Certificate (expected CRLReason:<b>unspecified</b>);</i><u></u><u></u></li>
<li class="MsoNormal">
<i>The Subscriber notifies the CA that the original
certificate request was not authorized and does not
retroactively grant authorization (expected CRLReason:<strong><span style="font-family:"Calibri",sans-serif">privilegeWithdrawn</span></strong>);</i><u></u><u></u></li>
<li class="MsoNormal">
<i>The CA obtains evidence that the Subscriber's Private
Key corresponding to the Public Key in the Certificate
suffered a Key Compromise (expected CRLReason:<b>keyCompromise</b>);</i><u></u><u></u></li>
<li class="MsoNormal">
<i>The CA is made aware of a demonstrated or proven method
that can easily compute the Subscriber's Private Key
based on the Public Key in the Certificate (such as a
Debian weak key, see
<a href="https://wiki.debian.org/SSLkeys" target="_blank">https://wiki.debian.org/SSLkeys</a>)
(expected CRLReason:<b>keyCompromise</b>);</i><u></u><u></u></li>
<li class="MsoNormal">
<i>The CA obtains evidence that the validation of domain
authorization or control for any Fully-Qualified Domain
Name or IP address in the Certificate should not be
relied upon (expected CRLReason:
<strong><span style="font-family:"Calibri",sans-serif">superseded</span></strong>).</i><u></u><u></u></li>
</ol>
<p class="MsoNormal">and so on.<br>
<br>
Does that work?<br>
<br>
Dimitris.<br>
<br>
<br>
<u></u><u></u></p>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Ben<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">On Wed, Sep 7, 2022 at 6:01 AM
Dimitris Zacharopoulos (HARICA) via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
wrote:<u></u><u></u></p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal" style="margin-bottom:12pt">Hi
Ben,<br>
<br>
I believe the proposal, as written, causes confusion
in regards to 4.9.1.1. Some of the reasons described
in your proposal are already mentioned in 4.9.1.1.
Perhaps we should work some more to "unify" the two
sections.<br>
<br>
My proposal would be to update 4.9.1.1 and include
the expected CRLReason after each case.<br>
<br>
<br>
Thoughts?<br>
Dimitris.<u></u><u></u></p>
<div>
<p class="MsoNormal">On 6/9/2022 8:13 μ.μ., Ben
Wilson via Servercert-wg wrote:<u></u><u></u></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal">All,<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">I'm looking for one more
endorser.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Ben<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">On Fri, Jul 29, 2022 at
12:40 PM Ben Wilson via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
wrote:<u></u><u></u></p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">All,<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I have created a
proposal in Github to incorporate
Mozilla's CRL Revocation Reason Code
requirements into the Baseline
Requirements.
<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">See <a href="https://github.com/cabforum/servercert/issues/377" target="_blank">
https://github.com/cabforum/servercert/issues/377</a><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><a href="https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5" target="_blank">https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5</a><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I'm looking for
comments, suggestions, and two endorsers.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Ben<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><u></u><u></u></p>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br>
<u></u><u></u></p>
<pre>_______________________________________________<u></u><u></u></pre>
<pre>Servercert-wg mailing list<u></u><u></u></pre>
<pre><a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><u></u><u></u></pre>
<pre><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><u></u><u></u></pre>
</blockquote>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><u></u><u></u></p>
</blockquote>
</div>
</blockquote>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</blockquote>
<br>
</div>
</blockquote></div>