<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    Ben, these changes look good. <br>
    <br>
    Is there anything we can do for:<br>
    <br>
    <blockquote type="cite"><i>5. The CA obtains evidence that the
        validation of domain authorization or control for any
        Fully-Qualified Domain Name or IP address in the Certificate
        should not be relied upon (CRLReason #4, superseded [or
        CRLReason #9, privilegeWithdrawn]).</i></blockquote>
    <br>
    I believe we should stick with "privilegeWithdrawn" for this case
    regardless if the certificate has been replaced or not. It's best to
    have one option rather than two.<br>
    <br>
    For the "superseded" cases:<br>
    <br>
    <blockquote type="cite"><i>1. The Certificate no longer complies
        with the requirements of [Section 6.1.5](#615-key-sizes) and
        [Section
        6.1.6](#616-public-key-parameters-generation-and-quality-checking)
        (CRLReason #4, superseded);</i></blockquote>
    <blockquote type="cite"><i>7. The CA is made aware that the
        Certificate was not issued in accordance with these Requirements
        or the CA's Certificate Policy or Certification Practice
        Statement (CRLReason #4, superseded);</i></blockquote>
    <blockquote type="cite"><i>10. Revocation is required by the CA's
        Certificate Policy and/or Certification Practice Statement
        (CRLReason #4, superseded); or</i></blockquote>
    <br>
    what exactly is the rationale for this CRLReason? Is it that these
    certificates will <b>necessarily </b>be replaced by compliant
    ones, that "supersede" (i.e. replace) the old ones? What if the CA
    decides not to replace certificates under these revocation cases?<br>
    <br>
    Once we clarify these few areas, I'd be happy to endorse this
    ballot.<br>
    <br>
    <br>
    Thanks,<br>
    Dimitris.<br>
    <br>
    <div class="moz-cite-prefix">On 14/9/2022 6:37 π.μ., Ben Wilson
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CA+1gtab9bAGg3zGEeDgdTW5HDeeu8Zr4ewrS9CKEQbyFb5ChLw@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">
        <div>Here is the most current comparison:</div>
        <div><br>
        </div>
        <div><a
href="https://github.com/cabforum/servercert/compare/bbca71465ed8a8a76383086039f52c750009286a..1699612e5157423f607d67cc8ab9dc3a1d52b318"
            moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/servercert/compare/bbca71465ed8a8a76383086039f52c750009286a..1699612e5157423f607d67cc8ab9dc3a1d52b318</a></div>
        <div><br>
        </div>
        <div>Ben<br>
        </div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr" class="gmail_attr">On Mon, Sep 12, 2022 at 11:00
          AM Ben Wilson <<a href="mailto:bwilson@mozilla.com"
            moz-do-not-send="true" class="moz-txt-link-freetext">bwilson@mozilla.com</a>>
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0px 0px 0px
          0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
          <div dir="ltr">
            <div>Here is another edit that tries to make minimal changes
              to BR section 4.9.1.1.</div>
            <div><a href="http://goog_144053405" target="_blank"
                moz-do-not-send="true"><br>
              </a></div>
            <div><a
href="https://github.com/BenWilson-Mozilla/servercert/commit/94a07d08855cf489a2bdddff7d8a9490969d5d06"
                target="_blank" moz-do-not-send="true"
                class="moz-txt-link-freetext">https://github.com/BenWilson-Mozilla/servercert/commit/94a07d08855cf489a2bdddff7d8a9490969d5d06</a></div>
            <div><br>
            </div>
            <div>Ben<br>
            </div>
          </div>
          <br>
          <div class="gmail_quote">
            <div dir="ltr" class="gmail_attr">On Mon, Sep 12, 2022 at
              9:51 AM Ben Wilson via Servercert-wg <<a
                href="mailto:servercert-wg@cabforum.org" target="_blank"
                moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
              wrote:<br>
            </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
              0.8ex;border-left:1px solid
              rgb(204,204,204);padding-left:1ex">
              <div dir="ltr">
                <div>Thanks, Dimitris. I'll work on that approach and
                  get something back to you soon.</div>
                <div>Ben<br>
                </div>
              </div>
              <br>
              <div class="gmail_quote">
                <div dir="ltr" class="gmail_attr">On Mon, Sep 12, 2022
                  at 2:56 AM Dimitris Zacharopoulos (HARICA) <<a
                    href="mailto:dzacharo@harica.gr" target="_blank"
                    moz-do-not-send="true" class="moz-txt-link-freetext">dzacharo@harica.gr</a>>
                  wrote:<br>
                </div>
                <blockquote class="gmail_quote" style="margin:0px 0px
                  0px 0.8ex;border-left:1px solid
                  rgb(204,204,204);padding-left:1ex">
                  <div> Hi Ben,<br>
                    <br>
                    After a quick reading, I noticed that the
                    subsections are not symmetrical and a bit
                    inconsistent. For example, some of them contain the
                    statement "the CA SHOULD revoke a certificate within
                    24 hours and MUST revoke a Certificate within 5
                    days", some do not.<br>
                    <br>
                    Other examples:<br>
                    <ul>
                      <li>4.9.1.1.1, is labeled "Subscriber-Requested
                        Revocation", however there are other subsections
                        that are also "Subscriber-Requested". This
                        separation seems confusing.</li>
                      <li>4.9.1.1.4 is about unreliable validation but
                        most of the remaining subsections are titled
                        after the RFC 5280 revocation reasons.<br>
                      </li>
                    </ul>
                    Finally, it's not very clear when the "unspecified
                    (0)" reason must be used because of section
                    4.9.1.1.8 (Other Circumstances) which doesn't point
                    to a revocation reason.<br>
                    <br>
                    From my perspective, I'm not sure if breaking down
                    each subsection is more helpful for reading the
                    revocation requirements than the current listing. I
                    understand there is a desire to copy the MRSP
                    language as much as possible but perhaps we need to
                    consider a less "intrusive" set of changes to a
                    section that CAs already have a difficult time
                    reading and implementing.<br>
                    <br>
                    IMO we either need to describe the revocation
                    scenario and point to the RFC 5280 revocation reason
                    (closer to what the BRs have today), or start with
                    the RFC 5280 revocation reasons and enumerate the
                    revocation scenarios (closer to what MRSP has
                    today). I find it confusing to mix the two
                    approaches.<br>
                    <br>
                    <br>
                    Thanks,<br>
                    Dimitris.<br>
                    <br>
                    <br>
                    <div>On 12/9/2022 6:32 π.μ., Ben Wilson wrote:<br>
                    </div>
                    <blockquote type="cite">
                      <div dir="ltr">
                        <div>For review - here is another proposal that
                          takes BR section 4.9.1.1 and puts the 24-hour
                          and 5-day revocation times into subsections
                          that match the CRL reason codes.  <br>
                        </div>
                        <div><br>
                        </div>
                        <div><a
href="https://github.com/BenWilson-Mozilla/servercert/commit/b185a28fcc20d5853747e4506103823e3dc7c282"
                            target="_blank" moz-do-not-send="true"
                            class="moz-txt-link-freetext">https://github.com/BenWilson-Mozilla/servercert/commit/b185a28fcc20d5853747e4506103823e3dc7c282</a></div>
                        <div><br>
                        </div>
                        <div>Ben<br>
                        </div>
                      </div>
                      <br>
                      <div class="gmail_quote">
                        <div dir="ltr" class="gmail_attr">On Thu, Sep 8,
                          2022 at 12:05 PM Dimitris Zacharopoulos
                          (HARICA) <<a
                            href="mailto:dzacharo@harica.gr"
                            target="_blank" moz-do-not-send="true"
                            class="moz-txt-link-freetext">dzacharo@harica.gr</a>>
                          wrote:<br>
                        </div>
                        <blockquote class="gmail_quote"
                          style="margin:0px 0px 0px
                          0.8ex;border-left:1px solid
                          rgb(204,204,204);padding-left:1ex">
                          <div> Good point.<br>
                            <br>
                            s/<i>expected/shall use/<br>
                              <br>
                              <br>
                            </i><br>
                            <div>On 8/9/2022 8:26 μ.μ., Tim Hollebeek
                              wrote:<br>
                            </div>
                            <blockquote type="cite">
                              <div>
                                <p class="MsoNormal">I would prefer
                                  standard 2119 language instead of an
                                  “expectation”.  There are no
                                  documented rules for what it means for
                                  a CRLReason to be expected to be a
                                  certain value.</p>
                                <p class="MsoNormal"> </p>
                                <p class="MsoNormal">-Tim</p>
                                <p class="MsoNormal"> </p>
                                <div style="border-color:currentcolor
                                  currentcolor currentcolor
                                  blue;border-style:none none none
                                  solid;border-width:medium medium
                                  medium 1.5pt;padding:0in 0in 0in 4pt">
                                  <div>
                                    <div
                                      style="border-color:rgb(225,225,225)
                                      currentcolor
                                      currentcolor;border-style:solid
                                      none none;border-width:1pt medium
                                      medium;padding:3pt 0in 0in">
                                      <p class="MsoNormal"><b>From:</b>
                                        Servercert-wg <a
                                          href="mailto:servercert-wg-bounces@cabforum.org"
                                          target="_blank"
                                          moz-do-not-send="true"><servercert-wg-bounces@cabforum.org></a>
                                        <b>On Behalf Of </b>Dimitris
                                        Zacharopoulos (HARICA) via
                                        Servercert-wg<br>
                                        <b>Sent:</b> Thursday, September
                                        8, 2022 3:21 AM<br>
                                        <b>To:</b> Ben Wilson <a
                                          href="mailto:bwilson@mozilla.com"
                                          target="_blank"
                                          moz-do-not-send="true"><bwilson@mozilla.com></a>;
                                        CA/B Forum Server Certificate WG
                                        Public Discussion List <a
                                          href="mailto:servercert-wg@cabforum.org"
                                          target="_blank"
                                          moz-do-not-send="true"><servercert-wg@cabforum.org></a><br>
                                        <b>Subject:</b> Re:
                                        [Servercert-wg] Proposal to
                                        Incorporate Mozilla's CRL
                                        Revocation Reason Code
                                        Requirements into the BRs</p>
                                    </div>
                                  </div>
                                  <p class="MsoNormal"> </p>
                                  <p class="MsoNormal"
                                    style="margin-bottom:12pt"> </p>
                                  <div>
                                    <p class="MsoNormal">On 7/9/2022
                                      8:22 μ.μ., Ben Wilson wrote:</p>
                                  </div>
                                  <blockquote
                                    style="margin-top:5pt;margin-bottom:5pt">
                                    <div>
                                      <div>
                                        <p class="MsoNormal">Good
                                          suggestion. I can re-work a
                                          proposal that re-writes BR
                                          sec. 4.9.1.1 to re-group the
                                          revocation reasons into the
                                          reason codes that should be
                                          used. Is that what you were
                                          thinking? </p>
                                      </div>
                                    </div>
                                  </blockquote>
                                  <p class="MsoNormal"><br>
                                    Yes. We should also try to keep the
                                    current BRs prioritization. The
                                    section begins with the cases where
                                    the Certificate(s) need to be
                                    revoked within 24h and then moves to
                                    the 5-day revocation cases.<br>
                                    <br>
                                    We could walk this list down making
                                    sure that all Mozilla cases are
                                    listed (add the ones that are not)
                                    and add the expected
                                    revocationReason for each case. For
                                    example:</p>
                                  <p><i>The CA SHALL revoke a
                                      Certificate within 24 hours if one
                                      or more of the following occurs:</i></p>
                                  <ol type="1" start="1">
                                    <li class="MsoNormal"> <i>The
                                        Subscriber requests in writing
                                        that the CA revoke the
                                        Certificate (expected CRLReason:<b>unspecified</b>);</i></li>
                                    <li class="MsoNormal"> <i>The
                                        Subscriber notifies the CA that
                                        the original certificate request
                                        was not authorized and does not
                                        retroactively grant
                                        authorization (expected
                                        CRLReason:<strong><span
                                            style="font-family:"Calibri",sans-serif">privilegeWithdrawn</span></strong>);</i></li>
                                    <li class="MsoNormal"> <i>The CA
                                        obtains evidence that the
                                        Subscriber's Private Key
                                        corresponding to the Public Key
                                        in the Certificate suffered a
                                        Key Compromise (expected
                                        CRLReason:<b>keyCompromise</b>);</i></li>
                                    <li class="MsoNormal"> <i>The CA is
                                        made aware of a demonstrated or
                                        proven method that can easily
                                        compute the Subscriber's Private
                                        Key based on the Public Key in
                                        the Certificate (such as a
                                        Debian weak key, see <a
                                          href="https://wiki.debian.org/SSLkeys"
                                          target="_blank"
                                          moz-do-not-send="true"
                                          class="moz-txt-link-freetext">https://wiki.debian.org/SSLkeys</a>)
                                        (expected CRLReason:<b>keyCompromise</b>);</i></li>
                                    <li class="MsoNormal"> <i>The CA
                                        obtains evidence that the
                                        validation of domain
                                        authorization or control for any
                                        Fully-Qualified Domain Name or
                                        IP address in the Certificate
                                        should not be relied upon
                                        (expected CRLReason: <strong><span
style="font-family:"Calibri",sans-serif">superseded</span></strong>).</i></li>
                                  </ol>
                                  <p class="MsoNormal">and so on.<br>
                                    <br>
                                    Does that work?<br>
                                    <br>
                                    Dimitris.<br>
                                    <br>
                                    <br>
                                  </p>
                                  <blockquote
                                    style="margin-top:5pt;margin-bottom:5pt">
                                    <div>
                                      <div>
                                        <p class="MsoNormal">Thanks,</p>
                                      </div>
                                      <div>
                                        <p class="MsoNormal">Ben</p>
                                      </div>
                                    </div>
                                    <p class="MsoNormal"> </p>
                                    <div>
                                      <div>
                                        <p class="MsoNormal">On Wed, Sep
                                          7, 2022 at 6:01 AM Dimitris
                                          Zacharopoulos (HARICA) via
                                          Servercert-wg <<a
                                            href="mailto:servercert-wg@cabforum.org"
                                            target="_blank"
                                            moz-do-not-send="true"
                                            class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
                                          wrote:</p>
                                      </div>
                                      <blockquote
                                        style="border-color:currentcolor
                                        currentcolor currentcolor
                                        rgb(204,204,204);border-style:none
                                        none none
                                        solid;border-width:medium medium
                                        medium 1pt;padding:0in 0in 0in
                                        6pt;margin-left:4.8pt;margin-right:0in">
                                        <div>
                                          <p class="MsoNormal"
                                            style="margin-bottom:12pt">Hi
                                            Ben,<br>
                                            <br>
                                            I believe the proposal, as
                                            written, causes confusion in
                                            regards to 4.9.1.1. Some of
                                            the reasons described in
                                            your proposal are already
                                            mentioned in 4.9.1.1.
                                            Perhaps we should work some
                                            more to "unify" the two
                                            sections.<br>
                                            <br>
                                            My proposal would be to
                                            update 4.9.1.1 and include
                                            the expected CRLReason after
                                            each case.<br>
                                            <br>
                                            <br>
                                            Thoughts?<br>
                                            Dimitris.</p>
                                          <div>
                                            <p class="MsoNormal">On
                                              6/9/2022 8:13 μ.μ., Ben
                                              Wilson via Servercert-wg
                                              wrote:</p>
                                          </div>
                                          <blockquote
                                            style="margin-top:5pt;margin-bottom:5pt">
                                            <div>
                                              <div>
                                                <p class="MsoNormal">All,</p>
                                              </div>
                                              <div>
                                                <p class="MsoNormal">I'm
                                                  looking for one more
                                                  endorser.</p>
                                              </div>
                                              <div>
                                                <p class="MsoNormal">Thanks,</p>
                                              </div>
                                              <div>
                                                <p class="MsoNormal">Ben</p>
                                              </div>
                                            </div>
                                            <p class="MsoNormal"> </p>
                                            <div>
                                              <div>
                                                <p class="MsoNormal">On
                                                  Fri, Jul 29, 2022 at
                                                  12:40 PM Ben Wilson
                                                  via Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org" target="_blank"
                                                    moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>> wrote:</p>
                                              </div>
                                              <blockquote
                                                style="border-color:currentcolor
                                                currentcolor
                                                currentcolor
                                                rgb(204,204,204);border-style:none
                                                none none
                                                solid;border-width:medium
                                                medium medium
                                                1pt;padding:0in 0in 0in
6pt;margin-left:4.8pt;margin-right:0in">
                                                <div>
                                                  <div>
                                                    <p class="MsoNormal">All,</p>
                                                  </div>
                                                  <div>
                                                    <p class="MsoNormal"> </p>
                                                  </div>
                                                  <div>
                                                    <p class="MsoNormal">I
                                                      have created a
                                                      proposal in Github
                                                      to incorporate
                                                      Mozilla's CRL
                                                      Revocation Reason
                                                      Code requirements
                                                      into the Baseline
                                                      Requirements.  </p>
                                                  </div>
                                                  <div>
                                                    <p class="MsoNormal"> </p>
                                                  </div>
                                                  <div>
                                                    <p class="MsoNormal">See
                                                      <a
                                                        href="https://github.com/cabforum/servercert/issues/377"
                                                        target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://github.com/cabforum/servercert/issues/377</a></p>
                                                  </div>
                                                  <div>
                                                    <p class="MsoNormal"> </p>
                                                  </div>
                                                  <div>
                                                    <p class="MsoNormal"><a
href="https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5"
                                                        target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5</a></p>
                                                  </div>
                                                  <div>
                                                    <p class="MsoNormal"> </p>
                                                  </div>
                                                  <div>
                                                    <p class="MsoNormal">I'm
                                                      looking for
                                                      comments,
                                                      suggestions, and
                                                      two endorsers.</p>
                                                  </div>
                                                  <div>
                                                    <p class="MsoNormal"> </p>
                                                  </div>
                                                  <div>
                                                    <p class="MsoNormal">Thanks,</p>
                                                  </div>
                                                  <div>
                                                    <p class="MsoNormal"> </p>
                                                  </div>
                                                  <div>
                                                    <p class="MsoNormal">Ben</p>
                                                  </div>
                                                </div>
                                                <p class="MsoNormal">_______________________________________________<br>
                                                  Servercert-wg mailing
                                                  list<br>
                                                  <a
                                                    href="mailto:Servercert-wg@cabforum.org"
                                                    target="_blank"
                                                    moz-do-not-send="true"
class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
                                                  <a
                                                    href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
                                                    target="_blank"
                                                    moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></p>
                                              </blockquote>
                                            </div>
                                            <p class="MsoNormal"><br>
                                              <br>
                                            </p>
                                            <pre>_______________________________________________</pre>
                                            <pre>Servercert-wg mailing list</pre>
                                            <pre><a href="mailto:Servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a></pre>
                                            <pre><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></pre>
                                          </blockquote>
                                          <p class="MsoNormal"> </p>
                                        </div>
                                        <p class="MsoNormal">_______________________________________________<br>
                                          Servercert-wg mailing list<br>
                                          <a
                                            href="mailto:Servercert-wg@cabforum.org"
                                            target="_blank"
                                            moz-do-not-send="true"
                                            class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
                                          <a
                                            href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
                                            target="_blank"
                                            moz-do-not-send="true"
                                            class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></p>
                                      </blockquote>
                                    </div>
                                  </blockquote>
                                  <p class="MsoNormal"> </p>
                                </div>
                              </div>
                            </blockquote>
                            <br>
                          </div>
                        </blockquote>
                      </div>
                    </blockquote>
                    <br>
                  </div>
                </blockquote>
              </div>
              _______________________________________________<br>
              Servercert-wg mailing list<br>
              <a href="mailto:Servercert-wg@cabforum.org"
                target="_blank" moz-do-not-send="true"
                class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
              <a
                href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
                rel="noreferrer" target="_blank" moz-do-not-send="true"
                class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
            </blockquote>
          </div>
        </blockquote>
      </div>
    </blockquote>
    <br>
  </body>
</html>