<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Aaron, Corey,<br>
<br>
The cleanup ballot is already in progress and I believe the WG hopes
to move with the profiles ballot next. Aaron's proposed ballot to
update the CRL profile will definitely conflict with the profiles
ballot so we need to be careful if we run both ballots at the same
time. If we are to have separate ballots, my hope is that this CRL
profile ballot is done after the profiles one.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 14/10/2022 9:05 μ.μ., Corey Bonnell
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM6PR14MB2186E6E5669C4D9E04D2E3C092249@DM6PR14MB2186.namprd14.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">I have a slight preference for keeping this
proposal separate, if only to avoid expanding the scope (pun
intended) of an already very large ballot.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If an additional endorser is needed, I’d
also be happy to endorse.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Corey<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Servercert-wg
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg-bounces@cabforum.org"><servercert-wg-bounces@cabforum.org></a> <b>On Behalf
Of </b>Dimitris Zacharopoulos (HARICA) via
Servercert-wg<br>
<b>Sent:</b> Friday, October 14, 2022 1:33 PM<br>
<b>To:</b> Aaron Gable <a class="moz-txt-link-rfc2396E" href="mailto:aaron@letsencrypt.org"><aaron@letsencrypt.org></a>; CA/B
Forum Server Certificate WG Public Discussion List
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a><br>
<b>Subject:</b> Re: [Servercert-wg] Ballot proposal:
require distributionPoint in sharded CRLs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
Hi Aaron, <br>
<br>
If there are no objections from others, would it be ok if we
add this proposal to the upcoming profiles ballot which will
be discussed at the F2F, and merge your PR in the profiles
branch? I would just set the date to whatever effective date
we decide, other than Jan 1 :) <br>
<br>
The change seems rather uncontroversial. I'd be willing to
endorse a separate ballot if the group decides not to include
it in the profiles ballot. <br>
<br>
<br>
Thanks, <br>
Dimitris.<br>
<br>
<br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal">On 14/10/2022 8:04 μ.μ., Aaron Gable via
Servercert-wg wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Hi all, <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Based on a long discussion[1] on
MDSP, I've come to the conclusion that it would be good
for the BRs to specifically mandate that
sharded/partitioned CRLs include the Issuing
Distribution Point extension and its distributionPoint
field. This is both because the field is important to
defend against replacement attacks, and because RFC
5280's language seems to actually say something
different and has led to a long discussion on
interpretation.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">To this end, I would like to propose
a ballot to include explicit language to this effect in
the BRs:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><a
href="https://github.com/cabforum/servercert/pull/396"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/servercert/pull/396</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Clint Wilson at Mozilla has kindly
agreed to endorse; I'm seeking a second endorser (and
any thoughts and opinions on the ballot text itself, of
course!) so that it can be assigned a ballot number and
officially open the discussion period.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Aaron<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">[1] <a
href="https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/qhrGxLvyreU"
moz-do-not-send="true" class="moz-txt-link-freetext">https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/qhrGxLvyreU</a><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Servercert-wg mailing list<o:p></o:p></pre>
<pre><a href="mailto:Servercert-wg@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>