<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Ben, these changes look good. <br>
<br>
Is there anything we can do for:<br>
<br>
<blockquote type="cite"><i>5. The CA obtains evidence that the
validation of domain authorization or control for any
Fully-Qualified Domain Name or IP address in the Certificate
should not be relied upon (CRLReason #4, superseded [or
CRLReason #9, privilegeWithdrawn]).</i></blockquote>
<br>
I believe we should stick with "privilegeWithdrawn" for this case
regardless if the certificate has been replaced or not. It's best to
have one option rather than two.<br>
<br>
For the "superseded" cases:<br>
<br>
<blockquote type="cite"><i>1. The Certificate no longer complies
with the requirements of [Section 6.1.5](#615-key-sizes) and
[Section
6.1.6](#616-public-key-parameters-generation-and-quality-checking)
(CRLReason #4, superseded);</i></blockquote>
<blockquote type="cite"><i>7. The CA is made aware that the
Certificate was not issued in accordance with these Requirements
or the CA's Certificate Policy or Certification Practice
Statement (CRLReason #4, superseded);</i></blockquote>
<blockquote type="cite"><i>10. Revocation is required by the CA's
Certificate Policy and/or Certification Practice Statement
(CRLReason #4, superseded); or</i></blockquote>
<br>
what exactly is the rationale for this CRLReason? Is it that these
certificates will <b>necessarily </b>be replaced by compliant
ones, that "supersede" (i.e. replace) the old ones? What if the CA
decides not to replace certificates under these revocation cases?<br>
<br>
Once we clarify these few areas, I'd be happy to endorse this
ballot.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 14/9/2022 6:37 π.μ., Ben Wilson
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CA+1gtab9bAGg3zGEeDgdTW5HDeeu8Zr4ewrS9CKEQbyFb5ChLw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>Here is the most current comparison:</div>
<div><br>
</div>
<div><a
href="https://github.com/cabforum/servercert/compare/bbca71465ed8a8a76383086039f52c750009286a..1699612e5157423f607d67cc8ab9dc3a1d52b318"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/servercert/compare/bbca71465ed8a8a76383086039f52c750009286a..1699612e5157423f607d67cc8ab9dc3a1d52b318</a></div>
<div><br>
</div>
<div>Ben<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Sep 12, 2022 at 11:00
AM Ben Wilson <<a href="mailto:bwilson@mozilla.com"
moz-do-not-send="true" class="moz-txt-link-freetext">bwilson@mozilla.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>Here is another edit that tries to make minimal changes
to BR section 4.9.1.1.</div>
<div><a href="http://goog_144053405" target="_blank"
moz-do-not-send="true"><br>
</a></div>
<div><a
href="https://github.com/BenWilson-Mozilla/servercert/commit/94a07d08855cf489a2bdddff7d8a9490969d5d06"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/BenWilson-Mozilla/servercert/commit/94a07d08855cf489a2bdddff7d8a9490969d5d06</a></div>
<div><br>
</div>
<div>Ben<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Sep 12, 2022 at
9:51 AM Ben Wilson via Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>Thanks, Dimitris. I'll work on that approach and
get something back to you soon.</div>
<div>Ben<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Sep 12, 2022
at 2:56 AM Dimitris Zacharopoulos (HARICA) <<a
href="mailto:dzacharo@harica.gr" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">dzacharo@harica.gr</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div> Hi Ben,<br>
<br>
After a quick reading, I noticed that the
subsections are not symmetrical and a bit
inconsistent. For example, some of them contain the
statement "the CA SHOULD revoke a certificate within
24 hours and MUST revoke a Certificate within 5
days", some do not.<br>
<br>
Other examples:<br>
<ul>
<li>4.9.1.1.1, is labeled "Subscriber-Requested
Revocation", however there are other subsections
that are also "Subscriber-Requested". This
separation seems confusing.</li>
<li>4.9.1.1.4 is about unreliable validation but
most of the remaining subsections are titled
after the RFC 5280 revocation reasons.<br>
</li>
</ul>
Finally, it's not very clear when the "unspecified
(0)" reason must be used because of section
4.9.1.1.8 (Other Circumstances) which doesn't point
to a revocation reason.<br>
<br>
From my perspective, I'm not sure if breaking down
each subsection is more helpful for reading the
revocation requirements than the current listing. I
understand there is a desire to copy the MRSP
language as much as possible but perhaps we need to
consider a less "intrusive" set of changes to a
section that CAs already have a difficult time
reading and implementing.<br>
<br>
IMO we either need to describe the revocation
scenario and point to the RFC 5280 revocation reason
(closer to what the BRs have today), or start with
the RFC 5280 revocation reasons and enumerate the
revocation scenarios (closer to what MRSP has
today). I find it confusing to mix the two
approaches.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<div>On 12/9/2022 6:32 π.μ., Ben Wilson wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>For review - here is another proposal that
takes BR section 4.9.1.1 and puts the 24-hour
and 5-day revocation times into subsections
that match the CRL reason codes. <br>
</div>
<div><br>
</div>
<div><a
href="https://github.com/BenWilson-Mozilla/servercert/commit/b185a28fcc20d5853747e4506103823e3dc7c282"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/BenWilson-Mozilla/servercert/commit/b185a28fcc20d5853747e4506103823e3dc7c282</a></div>
<div><br>
</div>
<div>Ben<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Sep 8,
2022 at 12:05 PM Dimitris Zacharopoulos
(HARICA) <<a
href="mailto:dzacharo@harica.gr"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">dzacharo@harica.gr</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div> Good point.<br>
<br>
s/<i>expected/shall use/<br>
<br>
<br>
</i><br>
<div>On 8/9/2022 8:26 μ.μ., Tim Hollebeek
wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal">I would prefer
standard 2119 language instead of an
“expectation”. There are no
documented rules for what it means for
a CRLReason to be expected to be a
certain value.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">-Tim</p>
<p class="MsoNormal"> </p>
<div style="border-color:currentcolor
currentcolor currentcolor
blue;border-style:none none none
solid;border-width:medium medium
medium 1.5pt;padding:0in 0in 0in 4pt">
<div>
<div
style="border-color:rgb(225,225,225)
currentcolor
currentcolor;border-style:solid
none none;border-width:1pt medium
medium;padding:3pt 0in 0in">
<p class="MsoNormal"><b>From:</b>
Servercert-wg <a
href="mailto:servercert-wg-bounces@cabforum.org"
target="_blank"
moz-do-not-send="true"><servercert-wg-bounces@cabforum.org></a>
<b>On Behalf Of </b>Dimitris
Zacharopoulos (HARICA) via
Servercert-wg<br>
<b>Sent:</b> Thursday, September
8, 2022 3:21 AM<br>
<b>To:</b> Ben Wilson <a
href="mailto:bwilson@mozilla.com"
target="_blank"
moz-do-not-send="true"><bwilson@mozilla.com></a>;
CA/B Forum Server Certificate WG
Public Discussion List <a
href="mailto:servercert-wg@cabforum.org"
target="_blank"
moz-do-not-send="true"><servercert-wg@cabforum.org></a><br>
<b>Subject:</b> Re:
[Servercert-wg] Proposal to
Incorporate Mozilla's CRL
Revocation Reason Code
Requirements into the BRs</p>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal"
style="margin-bottom:12pt"> </p>
<div>
<p class="MsoNormal">On 7/9/2022
8:22 μ.μ., Ben Wilson wrote:</p>
</div>
<blockquote
style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal">Good
suggestion. I can re-work a
proposal that re-writes BR
sec. 4.9.1.1 to re-group the
revocation reasons into the
reason codes that should be
used. Is that what you were
thinking? </p>
</div>
</div>
</blockquote>
<p class="MsoNormal"><br>
Yes. We should also try to keep the
current BRs prioritization. The
section begins with the cases where
the Certificate(s) need to be
revoked within 24h and then moves to
the 5-day revocation cases.<br>
<br>
We could walk this list down making
sure that all Mozilla cases are
listed (add the ones that are not)
and add the expected
revocationReason for each case. For
example:</p>
<p><i>The CA SHALL revoke a
Certificate within 24 hours if one
or more of the following occurs:</i></p>
<ol type="1" start="1">
<li class="MsoNormal"> <i>The
Subscriber requests in writing
that the CA revoke the
Certificate (expected CRLReason:<b>unspecified</b>);</i></li>
<li class="MsoNormal"> <i>The
Subscriber notifies the CA that
the original certificate request
was not authorized and does not
retroactively grant
authorization (expected
CRLReason:<strong><span
style="font-family:"Calibri",sans-serif">privilegeWithdrawn</span></strong>);</i></li>
<li class="MsoNormal"> <i>The CA
obtains evidence that the
Subscriber's Private Key
corresponding to the Public Key
in the Certificate suffered a
Key Compromise (expected
CRLReason:<b>keyCompromise</b>);</i></li>
<li class="MsoNormal"> <i>The CA is
made aware of a demonstrated or
proven method that can easily
compute the Subscriber's Private
Key based on the Public Key in
the Certificate (such as a
Debian weak key, see <a
href="https://wiki.debian.org/SSLkeys"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://wiki.debian.org/SSLkeys</a>)
(expected CRLReason:<b>keyCompromise</b>);</i></li>
<li class="MsoNormal"> <i>The CA
obtains evidence that the
validation of domain
authorization or control for any
Fully-Qualified Domain Name or
IP address in the Certificate
should not be relied upon
(expected CRLReason: <strong><span
style="font-family:"Calibri",sans-serif">superseded</span></strong>).</i></li>
</ol>
<p class="MsoNormal">and so on.<br>
<br>
Does that work?<br>
<br>
Dimitris.<br>
<br>
<br>
</p>
<blockquote
style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal">Thanks,</p>
</div>
<div>
<p class="MsoNormal">Ben</p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Wed, Sep
7, 2022 at 6:01 AM Dimitris
Zacharopoulos (HARICA) via
Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:</p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium medium
medium 1pt;padding:0in 0in 0in
6pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal"
style="margin-bottom:12pt">Hi
Ben,<br>
<br>
I believe the proposal, as
written, causes confusion in
regards to 4.9.1.1. Some of
the reasons described in
your proposal are already
mentioned in 4.9.1.1.
Perhaps we should work some
more to "unify" the two
sections.<br>
<br>
My proposal would be to
update 4.9.1.1 and include
the expected CRLReason after
each case.<br>
<br>
<br>
Thoughts?<br>
Dimitris.</p>
<div>
<p class="MsoNormal">On
6/9/2022 8:13 μ.μ., Ben
Wilson via Servercert-wg
wrote:</p>
</div>
<blockquote
style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal">All,</p>
</div>
<div>
<p class="MsoNormal">I'm
looking for one more
endorser.</p>
</div>
<div>
<p class="MsoNormal">Thanks,</p>
</div>
<div>
<p class="MsoNormal">Ben</p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On
Fri, Jul 29, 2022 at
12:40 PM Ben Wilson
via Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>> wrote:</p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0in 0in 0in
6pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">All,</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I
have created a
proposal in Github
to incorporate
Mozilla's CRL
Revocation Reason
Code requirements
into the Baseline
Requirements. </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">See
<a
href="https://github.com/cabforum/servercert/issues/377"
target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://github.com/cabforum/servercert/issues/377</a></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"><a
href="https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5"
target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5</a></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I'm
looking for
comments,
suggestions, and
two endorsers.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Thanks,</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Ben</p>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Servercert-wg mailing
list<br>
<a
href="mailto:Servercert-wg@cabforum.org"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></p>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br>
</p>
<pre>_______________________________________________</pre>
<pre>Servercert-wg mailing list</pre>
<pre><a href="mailto:Servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a></pre>
<pre><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></pre>
</blockquote>
<p class="MsoNormal"> </p>
</div>
<p class="MsoNormal">_______________________________________________<br>
Servercert-wg mailing list<br>
<a
href="mailto:Servercert-wg@cabforum.org"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></p>
</blockquote>
</div>
</blockquote>
<p class="MsoNormal"> </p>
</div>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>