<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    Hi Ben,<br>
    <br>
    After a quick reading, I noticed that the subsections are not
    symmetrical and a bit inconsistent. For example, some of them
    contain the statement "the CA SHOULD revoke a certificate within 24
    hours and MUST revoke a Certificate within 5 days", some do not.<br>
    <br>
    Other examples:<br>
    <ul>
      <li>4.9.1.1.1, is labeled "Subscriber-Requested Revocation",
        however there are other subsections that are also
        "Subscriber-Requested". This separation seems confusing.</li>
      <li>4.9.1.1.4 is about unreliable validation but most of the
        remaining subsections are titled after the RFC 5280 revocation
        reasons.<br>
      </li>
    </ul>
    Finally, it's not very clear when the "unspecified (0)" reason must
    be used because of section 4.9.1.1.8 (Other Circumstances) which
    doesn't point to a revocation reason.<br>
    <br>
    From my perspective, I'm not sure if breaking down each subsection
    is more helpful for reading the revocation requirements than the
    current listing. I understand there is a desire to copy the MRSP
    language as much as possible but perhaps we need to consider a less
    "intrusive" set of changes to a section that CAs already have a
    difficult time reading and implementing.<br>
    <br>
    IMO we either need to describe the revocation scenario and point to
    the RFC 5280 revocation reason (closer to what the BRs have today),
    or start with the RFC 5280 revocation reasons and enumerate the
    revocation scenarios (closer to what MRSP has today). I find it
    confusing to mix the two approaches.<br>
    <br>
    <br>
    Thanks,<br>
    Dimitris.<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 12/9/2022 6:32 π.μ., Ben Wilson
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CA+1gtaY12PckGhOQ1L9qx51R6fzNH_Jv+4OUJ7W-DUynGkjvvg@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">
        <div>For review - here is another proposal that takes BR section
          4.9.1.1 and puts the 24-hour and 5-day revocation times into
          subsections that match the CRL reason codes.  <br>
        </div>
        <div><br>
        </div>
        <div><a
href="https://github.com/BenWilson-Mozilla/servercert/commit/b185a28fcc20d5853747e4506103823e3dc7c282"
            moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/BenWilson-Mozilla/servercert/commit/b185a28fcc20d5853747e4506103823e3dc7c282</a></div>
        <div><br>
        </div>
        <div>Ben<br>
        </div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr" class="gmail_attr">On Thu, Sep 8, 2022 at 12:05
          PM Dimitris Zacharopoulos (HARICA) <<a
            href="mailto:dzacharo@harica.gr" moz-do-not-send="true"
            class="moz-txt-link-freetext">dzacharo@harica.gr</a>>
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0px 0px 0px
          0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
          <div> Good point.<br>
            <br>
            s/<i>expected/shall use/<br>
              <br>
              <br>
            </i><br>
            <div>On 8/9/2022 8:26 μ.μ., Tim Hollebeek wrote:<br>
            </div>
            <blockquote type="cite">
              <div>
                <p class="MsoNormal">I would prefer standard 2119
                  language instead of an “expectation”.  There are no
                  documented rules for what it means for a CRLReason to
                  be expected to be a certain value.</p>
                <p class="MsoNormal"> </p>
                <p class="MsoNormal">-Tim</p>
                <p class="MsoNormal"> </p>
                <div style="border-color:currentcolor currentcolor
                  currentcolor blue;border-style:none none none
                  solid;border-width:medium medium medium
                  1.5pt;padding:0in 0in 0in 4pt">
                  <div>
                    <div style="border-color:rgb(225,225,225)
                      currentcolor currentcolor;border-style:solid none
                      none;border-width:1pt medium medium;padding:3pt
                      0in 0in">
                      <p class="MsoNormal"><b>From:</b> Servercert-wg <a
href="mailto:servercert-wg-bounces@cabforum.org" target="_blank"
                          moz-do-not-send="true"><servercert-wg-bounces@cabforum.org></a>
                        <b>On Behalf Of </b>Dimitris Zacharopoulos
                        (HARICA) via Servercert-wg<br>
                        <b>Sent:</b> Thursday, September 8, 2022 3:21 AM<br>
                        <b>To:</b> Ben Wilson <a
                          href="mailto:bwilson@mozilla.com"
                          target="_blank" moz-do-not-send="true"><bwilson@mozilla.com></a>;
                        CA/B Forum Server Certificate WG Public
                        Discussion List <a
                          href="mailto:servercert-wg@cabforum.org"
                          target="_blank" moz-do-not-send="true"><servercert-wg@cabforum.org></a><br>
                        <b>Subject:</b> Re: [Servercert-wg] Proposal to
                        Incorporate Mozilla's CRL Revocation Reason Code
                        Requirements into the BRs</p>
                    </div>
                  </div>
                  <p class="MsoNormal"> </p>
                  <p class="MsoNormal" style="margin-bottom:12pt"> </p>
                  <div>
                    <p class="MsoNormal">On 7/9/2022 8:22 μ.μ., Ben
                      Wilson wrote:</p>
                  </div>
                  <blockquote style="margin-top:5pt;margin-bottom:5pt">
                    <div>
                      <div>
                        <p class="MsoNormal">Good suggestion. I can
                          re-work a proposal that re-writes BR sec.
                          4.9.1.1 to re-group the revocation reasons
                          into the reason codes that should be used. Is
                          that what you were thinking? </p>
                      </div>
                    </div>
                  </blockquote>
                  <p class="MsoNormal"><br>
                    Yes. We should also try to keep the current BRs
                    prioritization. The section begins with the cases
                    where the Certificate(s) need to be revoked within
                    24h and then moves to the 5-day revocation cases.<br>
                    <br>
                    We could walk this list down making sure that all
                    Mozilla cases are listed (add the ones that are not)
                    and add the expected revocationReason for each case.
                    For example:</p>
                  <p><i>The CA SHALL revoke a Certificate within 24
                      hours if one or more of the following occurs:</i></p>
                  <ol type="1" start="1">
                    <li class="MsoNormal"> <i>The Subscriber requests
                        in writing that the CA revoke the Certificate
                        (expected CRLReason:<b>unspecified</b>);</i></li>
                    <li class="MsoNormal"> <i>The Subscriber notifies
                        the CA that the original certificate request was
                        not authorized and does not retroactively grant
                        authorization (expected CRLReason:<strong><span
style="font-family:"Calibri",sans-serif">privilegeWithdrawn</span></strong>);</i></li>
                    <li class="MsoNormal"> <i>The CA obtains evidence
                        that the Subscriber's Private Key corresponding
                        to the Public Key in the Certificate suffered a
                        Key Compromise (expected CRLReason:<b>keyCompromise</b>);</i></li>
                    <li class="MsoNormal"> <i>The CA is made aware of a
                        demonstrated or proven method that can easily
                        compute the Subscriber's Private Key based on
                        the Public Key in the Certificate (such as a
                        Debian weak key, see <a
                          href="https://wiki.debian.org/SSLkeys"
                          target="_blank" moz-do-not-send="true"
                          class="moz-txt-link-freetext">https://wiki.debian.org/SSLkeys</a>)
                        (expected CRLReason:<b>keyCompromise</b>);</i></li>
                    <li class="MsoNormal"> <i>The CA obtains evidence
                        that the validation of domain authorization or
                        control for any Fully-Qualified Domain Name or
                        IP address in the Certificate should not be
                        relied upon (expected CRLReason: <strong><span
style="font-family:"Calibri",sans-serif">superseded</span></strong>).</i></li>
                  </ol>
                  <p class="MsoNormal">and so on.<br>
                    <br>
                    Does that work?<br>
                    <br>
                    Dimitris.<br>
                    <br>
                    <br>
                  </p>
                  <blockquote style="margin-top:5pt;margin-bottom:5pt">
                    <div>
                      <div>
                        <p class="MsoNormal">Thanks,</p>
                      </div>
                      <div>
                        <p class="MsoNormal">Ben</p>
                      </div>
                    </div>
                    <p class="MsoNormal"> </p>
                    <div>
                      <div>
                        <p class="MsoNormal">On Wed, Sep 7, 2022 at 6:01
                          AM Dimitris Zacharopoulos (HARICA) via
                          Servercert-wg <<a
                            href="mailto:servercert-wg@cabforum.org"
                            target="_blank" moz-do-not-send="true"
                            class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
                          wrote:</p>
                      </div>
                      <blockquote style="border-color:currentcolor
                        currentcolor currentcolor
                        rgb(204,204,204);border-style:none none none
                        solid;border-width:medium medium medium
                        1pt;padding:0in 0in 0in
                        6pt;margin-left:4.8pt;margin-right:0in">
                        <div>
                          <p class="MsoNormal"
                            style="margin-bottom:12pt">Hi Ben,<br>
                            <br>
                            I believe the proposal, as written, causes
                            confusion in regards to 4.9.1.1. Some of the
                            reasons described in your proposal are
                            already mentioned in 4.9.1.1. Perhaps we
                            should work some more to "unify" the two
                            sections.<br>
                            <br>
                            My proposal would be to update 4.9.1.1 and
                            include the expected CRLReason after each
                            case.<br>
                            <br>
                            <br>
                            Thoughts?<br>
                            Dimitris.</p>
                          <div>
                            <p class="MsoNormal">On 6/9/2022 8:13 μ.μ.,
                              Ben Wilson via Servercert-wg wrote:</p>
                          </div>
                          <blockquote
                            style="margin-top:5pt;margin-bottom:5pt">
                            <div>
                              <div>
                                <p class="MsoNormal">All,</p>
                              </div>
                              <div>
                                <p class="MsoNormal">I'm looking for one
                                  more endorser.</p>
                              </div>
                              <div>
                                <p class="MsoNormal">Thanks,</p>
                              </div>
                              <div>
                                <p class="MsoNormal">Ben</p>
                              </div>
                            </div>
                            <p class="MsoNormal"> </p>
                            <div>
                              <div>
                                <p class="MsoNormal">On Fri, Jul 29,
                                  2022 at 12:40 PM Ben Wilson via
                                  Servercert-wg <<a
                                    href="mailto:servercert-wg@cabforum.org"
                                    target="_blank"
                                    moz-do-not-send="true"
                                    class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
                                  wrote:</p>
                              </div>
                              <blockquote
                                style="border-color:currentcolor
                                currentcolor currentcolor
                                rgb(204,204,204);border-style:none none
                                none solid;border-width:medium medium
                                medium 1pt;padding:0in 0in 0in
                                6pt;margin-left:4.8pt;margin-right:0in">
                                <div>
                                  <div>
                                    <p class="MsoNormal">All,</p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal"> </p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal">I have created
                                      a proposal in Github to
                                      incorporate Mozilla's CRL
                                      Revocation Reason Code
                                      requirements into the Baseline
                                      Requirements.  </p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal"> </p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal">See <a
                                        href="https://github.com/cabforum/servercert/issues/377"
                                        target="_blank"
                                        moz-do-not-send="true"
                                        class="moz-txt-link-freetext">
https://github.com/cabforum/servercert/issues/377</a></p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal"> </p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal"><a
href="https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5"
                                        target="_blank"
                                        moz-do-not-send="true"
                                        class="moz-txt-link-freetext">https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5</a></p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal"> </p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal">I'm looking for
                                      comments, suggestions, and two
                                      endorsers.</p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal"> </p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal">Thanks,</p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal"> </p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal">Ben</p>
                                  </div>
                                </div>
                                <p class="MsoNormal">_______________________________________________<br>
                                  Servercert-wg mailing list<br>
                                  <a
                                    href="mailto:Servercert-wg@cabforum.org"
                                    target="_blank"
                                    moz-do-not-send="true"
                                    class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
                                  <a
                                    href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
                                    target="_blank"
                                    moz-do-not-send="true"
                                    class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></p>
                              </blockquote>
                            </div>
                            <p class="MsoNormal"><br>
                              <br>
                            </p>
                            <pre>_______________________________________________</pre>
                            <pre>Servercert-wg mailing list</pre>
                            <pre><a href="mailto:Servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a></pre>
                            <pre><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></pre>
                          </blockquote>
                          <p class="MsoNormal"> </p>
                        </div>
                        <p class="MsoNormal">_______________________________________________<br>
                          Servercert-wg mailing list<br>
                          <a href="mailto:Servercert-wg@cabforum.org"
                            target="_blank" moz-do-not-send="true"
                            class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
                          <a
                            href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
                            target="_blank" moz-do-not-send="true"
                            class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></p>
                      </blockquote>
                    </div>
                  </blockquote>
                  <p class="MsoNormal"> </p>
                </div>
              </div>
            </blockquote>
            <br>
          </div>
        </blockquote>
      </div>
    </blockquote>
    <br>
  </body>
</html>