<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle20
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:141123134;
mso-list-template-ids:-1954617790;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:412437033;
mso-list-template-ids:-2116410758;}
@list l2
{mso-list-id:870384234;
mso-list-template-ids:-1730754414;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3
{mso-list-id:1738745993;
mso-list-template-ids:-1830891886;}
@list l3:level1
{mso-level-start-at:2;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4
{mso-list-id:1928885974;
mso-list-template-ids:-1586980974;}
@list l3:level1 lfo4
{mso-level-start-at:0;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0cm;
text-indent:0cm;}
@list l3:level1 lfo5
{mso-level-start-at:0;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0cm;
text-indent:0cm;}
@list l3:level1 lfo6
{mso-level-start-at:0;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0cm;
text-indent:0cm;}
@list l3:level1 lfo7
{mso-level-start-at:0;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0cm;
text-indent:0cm;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="en-SE" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Ryan,<br>
<br>
Would you be able to make this into a draft pull request already? That may aid in discussing and adding suggestions directly int GitHub.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">At the moment, the one item that caught my attention is the proposed removal of having to revoke short-lived subscriber certificates.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">As I understand it, the proposal on the one hand removes the needs for adding an OCSP Pointer and CRLDP into Short-lived subscriber certificates. With the current requirement from several
root store operators to disclose CRLs into CCADB (even when not actually included in the subscriber certificates) however, CAs still need to generate and publish CRLs, even for Short-lived Subscriber Certificates.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">The proposal to remove the 24 hour and 5 day rules for revocation on these certificates seems to make it completely impossible to revoke these certificates, which seems like another
security boundary is being removed. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">I can’t help but think the contrast is very big on this. Are we ready to allow for potential subscriber key compromises and the inability to revoke at all for up to 10 days vs required
revocation within 24 hours at this moment?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><br>
Martijn<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Servercert-wg <servercert-wg-bounces@cabforum.org>
<b>On Behalf Of </b>Ryan Dickson via Servercert-wg<br>
<b>Sent:</b> Tuesday, 1 November 2022 13:51<br>
<b>To:</b> ServerCert CA/BF <servercert-wg@cabforum.org><br>
<b>Subject:</b> [Servercert-wg] Following up: Proposal to make OCSP optional (introduced at Face-to-Face 57)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal" style="line-height:12.0pt;background:#FAFA03"><span style="font-size:10.0pt;color:black">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the
content is safe.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif;color:#0E101A">Hi all,</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif;color:#0E101A">I am following up on our discussions from last week’s Face-to-Face meeting in Berlin.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif;color:#0E101A">During the SCWG, I shared
</span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F180T6cDSWPy54Rb5d6R4zN7MuLEMShaZ4IRLQgdPqE98%2Fedit&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cfb8f20d33c014483310508dabc07b273%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638029038496783843%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=IxGeR8SIaBoejzGxWJ9wt3QyEGIdkNwLmvDvrN%2F9ni4%3D&reserved=0"><span style="font-family:"Arial",sans-serif;color:#4A6EE0">this</span></a><span style="font-family:"Arial",sans-serif;color:#0E101A">
link that describes a proposal for a <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2Fprofiles...ryancdickson%3Astaging%3Aprofiles&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cfb8f20d33c014483310508dabc07b273%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638029038496783843%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=eqcrkqO1V9KOyRP1Bk3bNRhNih4OUq4sYcQ6jLSuxH4%3D&reserved=0">
future ballot</a> that:</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ol start="1" type="1">
<li class="MsoNormal" style="color:#0E101A;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level1 lfo1;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l4 level1 lfo1;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l4 level1 lfo1;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">Requires CAs generate and publish either:<o:p></o:p></span></li><li class="MsoNormal" style="color:#0E101A;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level1 lfo1;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li></ol>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2;vertical-align:baseline">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#0E101A"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-family:"Arial",sans-serif;color:#0E101A"><o:p> </o:p></span></p>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2;vertical-align:baseline">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#0E101A"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-family:"Arial",sans-serif;color:#0E101A"><o:p> </o:p></span></p>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2;vertical-align:baseline">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#0E101A"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-family:"Arial",sans-serif;color:#0E101A">a full and complete CRL, or<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2;vertical-align:baseline">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#0E101A"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-family:"Arial",sans-serif;color:#0E101A"><o:p> </o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2;vertical-align:baseline">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#0E101A"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-family:"Arial",sans-serif;color:#0E101A"><o:p> </o:p></span></p>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2;vertical-align:baseline">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#0E101A"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-family:"Arial",sans-serif;color:#0E101A"><o:p> </o:p></span></p>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2;vertical-align:baseline">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#0E101A"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-family:"Arial",sans-serif;color:#0E101A">partitioned CRLs (sometimes called “sharded” CRLs) that, when aggregated, represent the equivalent of a full and<o:p></o:p></span></p>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2;vertical-align:baseline">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#0E101A"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-family:"Arial",sans-serif;color:#0E101A"> complete CRL.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2;vertical-align:baseline">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#0E101A"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-family:"Arial",sans-serif;color:#0E101A"><o:p> </o:p></span></p>
<ol start="2" type="1">
<li class="MsoNormal" style="color:#0E101A;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo4;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l3 level1 lfo4;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l3 level1 lfo4;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">Requires CRLs are updated and reissued at least once daily.<o:p></o:p></span></li><li class="MsoNormal" style="color:#0E101A;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo4;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li></ol>
<ol start="6" type="1">
<li class="MsoNormal" style="color:#0E101A;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l3 level1 lfo5;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l3 level1 lfo5;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">Requires CAs include the corresponding HTTP URI for either the full and complete or partitioned/sharded CRL in<o:p></o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l3 level1 lfo5;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">the CRL Distribution Point extension of subscriber certificates (i.e., TLS server certificates), with an exception for Short-lived Subscriber Certificates (see below).<o:p></o:p></span></li><li class="MsoNormal" style="color:#0E101A;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo5;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li></ol>
<ol start="11" type="1">
<li class="MsoNormal" style="color:#0E101A;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo6;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l3 level1 lfo6;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l3 level1 lfo6;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">Makes OCSP services<o:p></o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l3 level1 lfo6;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">optional<o:p></o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l3 level1 lfo6;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">for CAs. If a CA continues supporting OCSP, the same requirements apply as they do today.<o:p></o:p></span></li><li class="MsoNormal" style="color:#0E101A;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo6;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li></ol>
<ol start="17" type="1">
<li class="MsoNormal" style="color:#0E101A;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo7;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l3 level1 lfo7;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l3 level1 lfo7;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">Re-visits the concept of a Short-lived Subscriber Certificate - an<o:p></o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l3 level1 lfo7;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">optional<o:p></o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l3 level1 lfo7;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">certificate offering with a validity less than ten days that is not required to contain either a CRLDP or OCSP Pointer. As currently written, CAs may<o:p></o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l3 level1 lfo7;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">optionally<o:p></o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l3 level1 lfo7;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">support revocation for short-lived certificates - but they would still be responsible for blocking future issuance to confirmed compromised keys (defined in 6.1.1.3).<o:p></o:p></span></li><li class="MsoNormal" style="color:#0E101A;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo7;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li></ol>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif;color:#0E101A">Justification for combining both the proposed revocation changes and the Short-lived Subscriber Certificate discussion into a single ballot is two-fold:</span><o:p></o:p></p>
<ol start="1" type="1">
<li class="MsoNormal" style="color:#0E101A;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo8;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l1 level1 lfo8;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l1 level1 lfo8;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">reduce administrative burden in the ballot review, discussion, and approval process; and<o:p></o:p></span></li><li class="MsoNormal" style="color:#0E101A;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo8;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li class="MsoNormal" style="color:#0E101A;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo8;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l1 level1 lfo8;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l1 level1 lfo8;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">use of Short-lived Subscriber Certificates reduces CRL sizes, and due to the proposal requiring CRLs - this opportunity<o:p></o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l1 level1 lfo8;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">seemed beneficial to both CA Owners and certificate consumers.<o:p></o:p></span></li><li class="MsoNormal" style="color:#0E101A;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo8;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li></ol>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif;color:#0E101A">Discussion at the Face-to-Face focused on:</span><o:p></o:p></p>
<ul type="disc">
<li class="MsoNormal" style="color:#0E101A;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo9;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l2 level1 lfo9;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l2 level1 lfo9;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">how the proposal impacts offline intermediates that are only brought online to issue test certificates as required<o:p></o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l2 level1 lfo9;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">by the BRs; <o:p></o:p></span></li><li class="MsoNormal" style="color:#0E101A;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo9;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li class="MsoNormal" style="color:#0E101A;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo9;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l2 level1 lfo9;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l2 level1 lfo9;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">concern regarding delays in user agents consuming certificate status information (i.e., comparing the speed by<o:p></o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l2 level1 lfo9;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">which changes can be conveyed via OCSP versus daily CRLs); and<o:p></o:p></span></li><li class="MsoNormal" style="color:#0E101A;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo9;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li class="MsoNormal" style="color:#0E101A;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo9;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l2 level1 lfo9;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li><li style="color:#0E101A;margin-top:0cm;margin-bottom:0cm;mso-list:l2 level1 lfo9;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">the corresponding implementation timeline (currently sharing the same effective date included in the profile work).<o:p></o:p></span></li><li class="MsoNormal" style="color:#0E101A;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo9;vertical-align:baseline">
<span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif;color:#0E101A">The doc linked above also contains additional considerations worth exploring (e.g., impact on CT log operators, impacts on other user agents, etc.).</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif;color:#0E101A">Beyond the goals and justification described in the doc linked above (e.g., privacy concerns with OCSP, the volume of OCSP-related incidents, and operational costs of running secure,
highly available, and resilient OCSP services), we see an opportunity to align requirements defined in the BRs with browser implementations (both current and planned). The consideration for Short-lived Subscriber Certificates also presents an opportunity to
incentivize the use of automation and the issuance of certificates with a reduced validity without requiring either behavior in the BRs. </span><o:p></o:p></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif;color:#0E101A"><br>
<br>
</span><o:p></o:p></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif;color:#0E101A">Comments, concerns, and volunteers for endorsers are welcome.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif;color:#0E101A">Thanks,</span><o:p></o:p></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif;color:#0E101A">Ryan</span><o:p></o:p></p>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>