<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Hi Ben,<br>
<br>
After a quick reading, I noticed that the subsections are not
symmetrical and a bit inconsistent. For example, some of them
contain the statement "the CA SHOULD revoke a certificate within 24
hours and MUST revoke a Certificate within 5 days", some do not.<br>
<br>
Other examples:<br>
<ul>
<li>4.9.1.1.1, is labeled "Subscriber-Requested Revocation",
however there are other subsections that are also
"Subscriber-Requested". This separation seems confusing.</li>
<li>4.9.1.1.4 is about unreliable validation but most of the
remaining subsections are titled after the RFC 5280 revocation
reasons.<br>
</li>
</ul>
Finally, it's not very clear when the "unspecified (0)" reason must
be used because of section 4.9.1.1.8 (Other Circumstances) which
doesn't point to a revocation reason.<br>
<br>
From my perspective, I'm not sure if breaking down each subsection
is more helpful for reading the revocation requirements than the
current listing. I understand there is a desire to copy the MRSP
language as much as possible but perhaps we need to consider a less
"intrusive" set of changes to a section that CAs already have a
difficult time reading and implementing.<br>
<br>
IMO we either need to describe the revocation scenario and point to
the RFC 5280 revocation reason (closer to what the BRs have today),
or start with the RFC 5280 revocation reasons and enumerate the
revocation scenarios (closer to what MRSP has today). I find it
confusing to mix the two approaches.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<div class="moz-cite-prefix">On 12/9/2022 6:32 π.μ., Ben Wilson
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CA+1gtaY12PckGhOQ1L9qx51R6fzNH_Jv+4OUJ7W-DUynGkjvvg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>For review - here is another proposal that takes BR section
4.9.1.1 and puts the 24-hour and 5-day revocation times into
subsections that match the CRL reason codes. <br>
</div>
<div><br>
</div>
<div><a
href="https://github.com/BenWilson-Mozilla/servercert/commit/b185a28fcc20d5853747e4506103823e3dc7c282"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/BenWilson-Mozilla/servercert/commit/b185a28fcc20d5853747e4506103823e3dc7c282</a></div>
<div><br>
</div>
<div>Ben<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Sep 8, 2022 at 12:05
PM Dimitris Zacharopoulos (HARICA) <<a
href="mailto:dzacharo@harica.gr" moz-do-not-send="true"
class="moz-txt-link-freetext">dzacharo@harica.gr</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> Good point.<br>
<br>
s/<i>expected/shall use/<br>
<br>
<br>
</i><br>
<div>On 8/9/2022 8:26 μ.μ., Tim Hollebeek wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal">I would prefer standard 2119
language instead of an “expectation”. There are no
documented rules for what it means for a CRLReason to
be expected to be a certain value.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">-Tim</p>
<p class="MsoNormal"> </p>
<div style="border-color:currentcolor currentcolor
currentcolor blue;border-style:none none none
solid;border-width:medium medium medium
1.5pt;padding:0in 0in 0in 4pt">
<div>
<div style="border-color:rgb(225,225,225)
currentcolor currentcolor;border-style:solid none
none;border-width:1pt medium medium;padding:3pt
0in 0in">
<p class="MsoNormal"><b>From:</b> Servercert-wg <a
href="mailto:servercert-wg-bounces@cabforum.org" target="_blank"
moz-do-not-send="true"><servercert-wg-bounces@cabforum.org></a>
<b>On Behalf Of </b>Dimitris Zacharopoulos
(HARICA) via Servercert-wg<br>
<b>Sent:</b> Thursday, September 8, 2022 3:21 AM<br>
<b>To:</b> Ben Wilson <a
href="mailto:bwilson@mozilla.com"
target="_blank" moz-do-not-send="true"><bwilson@mozilla.com></a>;
CA/B Forum Server Certificate WG Public
Discussion List <a
href="mailto:servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"><servercert-wg@cabforum.org></a><br>
<b>Subject:</b> Re: [Servercert-wg] Proposal to
Incorporate Mozilla's CRL Revocation Reason Code
Requirements into the BRs</p>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal" style="margin-bottom:12pt"> </p>
<div>
<p class="MsoNormal">On 7/9/2022 8:22 μ.μ., Ben
Wilson wrote:</p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal">Good suggestion. I can
re-work a proposal that re-writes BR sec.
4.9.1.1 to re-group the revocation reasons
into the reason codes that should be used. Is
that what you were thinking? </p>
</div>
</div>
</blockquote>
<p class="MsoNormal"><br>
Yes. We should also try to keep the current BRs
prioritization. The section begins with the cases
where the Certificate(s) need to be revoked within
24h and then moves to the 5-day revocation cases.<br>
<br>
We could walk this list down making sure that all
Mozilla cases are listed (add the ones that are not)
and add the expected revocationReason for each case.
For example:</p>
<p><i>The CA SHALL revoke a Certificate within 24
hours if one or more of the following occurs:</i></p>
<ol type="1" start="1">
<li class="MsoNormal"> <i>The Subscriber requests
in writing that the CA revoke the Certificate
(expected CRLReason:<b>unspecified</b>);</i></li>
<li class="MsoNormal"> <i>The Subscriber notifies
the CA that the original certificate request was
not authorized and does not retroactively grant
authorization (expected CRLReason:<strong><span
style="font-family:"Calibri",sans-serif">privilegeWithdrawn</span></strong>);</i></li>
<li class="MsoNormal"> <i>The CA obtains evidence
that the Subscriber's Private Key corresponding
to the Public Key in the Certificate suffered a
Key Compromise (expected CRLReason:<b>keyCompromise</b>);</i></li>
<li class="MsoNormal"> <i>The CA is made aware of a
demonstrated or proven method that can easily
compute the Subscriber's Private Key based on
the Public Key in the Certificate (such as a
Debian weak key, see <a
href="https://wiki.debian.org/SSLkeys"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://wiki.debian.org/SSLkeys</a>)
(expected CRLReason:<b>keyCompromise</b>);</i></li>
<li class="MsoNormal"> <i>The CA obtains evidence
that the validation of domain authorization or
control for any Fully-Qualified Domain Name or
IP address in the Certificate should not be
relied upon (expected CRLReason: <strong><span
style="font-family:"Calibri",sans-serif">superseded</span></strong>).</i></li>
</ol>
<p class="MsoNormal">and so on.<br>
<br>
Does that work?<br>
<br>
Dimitris.<br>
<br>
<br>
</p>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal">Thanks,</p>
</div>
<div>
<p class="MsoNormal">Ben</p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Wed, Sep 7, 2022 at 6:01
AM Dimitris Zacharopoulos (HARICA) via
Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:</p>
</div>
<blockquote style="border-color:currentcolor
currentcolor currentcolor
rgb(204,204,204);border-style:none none none
solid;border-width:medium medium medium
1pt;padding:0in 0in 0in
6pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal"
style="margin-bottom:12pt">Hi Ben,<br>
<br>
I believe the proposal, as written, causes
confusion in regards to 4.9.1.1. Some of the
reasons described in your proposal are
already mentioned in 4.9.1.1. Perhaps we
should work some more to "unify" the two
sections.<br>
<br>
My proposal would be to update 4.9.1.1 and
include the expected CRLReason after each
case.<br>
<br>
<br>
Thoughts?<br>
Dimitris.</p>
<div>
<p class="MsoNormal">On 6/9/2022 8:13 μ.μ.,
Ben Wilson via Servercert-wg wrote:</p>
</div>
<blockquote
style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal">All,</p>
</div>
<div>
<p class="MsoNormal">I'm looking for one
more endorser.</p>
</div>
<div>
<p class="MsoNormal">Thanks,</p>
</div>
<div>
<p class="MsoNormal">Ben</p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Fri, Jul 29,
2022 at 12:40 PM Ben Wilson via
Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:</p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor currentcolor
rgb(204,204,204);border-style:none none
none solid;border-width:medium medium
medium 1pt;padding:0in 0in 0in
6pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">All,</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I have created
a proposal in Github to
incorporate Mozilla's CRL
Revocation Reason Code
requirements into the Baseline
Requirements. </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">See <a
href="https://github.com/cabforum/servercert/issues/377"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">
https://github.com/cabforum/servercert/issues/377</a></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"><a
href="https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5</a></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I'm looking for
comments, suggestions, and two
endorsers.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Thanks,</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Ben</p>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Servercert-wg mailing list<br>
<a
href="mailto:Servercert-wg@cabforum.org"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></p>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br>
</p>
<pre>_______________________________________________</pre>
<pre>Servercert-wg mailing list</pre>
<pre><a href="mailto:Servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a></pre>
<pre><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></pre>
</blockquote>
<p class="MsoNormal"> </p>
</div>
<p class="MsoNormal">_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></p>
</blockquote>
</div>
</blockquote>
<p class="MsoNormal"> </p>
</div>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>