<div dir="ltr">That could simplify it, but Mozilla's CRL Reason Code rules would still supersede that section.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Nov 15, 2022 at 2:22 AM Dimitris Zacharopoulos (HARICA) via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div>On 15/11/2022 1:02 π.μ., Ben Wilson via
Servercert-wg wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Thanks.</div>
<div><br>
</div>
<div>Any additional thoughts, recommendations, etc.?</div>
</div>
</blockquote>
<br>
Hi Ben,<br>
<br>
I assume that the use cases described within the parenthesis under
4.9.1.1 are "examples" which means that the "i.e." should be
replaced with "e.g.". <br>
<br>
I am not very much in favor of the breakown of subsections for each
revocation reasonCode which repeats the language "SHOULD revoke
within 24 hours and SHALL revoke within 5 days" in various cases,
and gets especially confusing when the Subscriber requests in
writing, which can apply to several reasonCodes.<br>
<br>
The previous attempt keeping the existing structure that
CAs/Auditors are already familiar with, seems like a better
approach. That's because CAs already have controls in place to
handle "specific revocation use cases" as they are listed in the
current sections 4.9.1.1 and 4.9.1.2. All we need to do now is map
those known cases to a specific RFC5280 reasonCode.<br>
<br>
If additional revocation use cases have been documented in MRSP, we
can add those in <a href="http://4.9.1.1/2" target="_blank">4.9.1.1/2</a> as needed.<br>
<br>
What do others think? Should we try to minimize the changes to
4.9.1.1 and 4.9.1.2 or do a complete restructuring?<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Ben<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Nov 10, 2022 at 11:33
PM Roman Fischer via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div lang="DE">
<div>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif">Dear
Ben,</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US">Thanks for your effort to make it
better understandable. Even for me as a non-native
speaker it’s now much clearer when to use which
reasonCode (but it’s still very complex!).</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US">Could the section</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">** The
privilegeWithdrawn reasonCode <span style="background:yellow">
does not need to be made available</span> to the
Subscriber as a revocation reason option, because
the use of this reasonCode is determined by the CA
and not the Subscriber.</span><span style="font-size:11pt" lang="EN-US"></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US">be reformulated to use one of the RFC
2119 terms? Maybe your intention was “SHALL NOT be
made available”?</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US">Kind regards<br>
Roman Fischer, SwissSign</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US"> </span></p>
<div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US">From:</span></b><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US"> Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank">servercert-wg-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Ben Wilson via Servercert-wg<br>
<b>Sent:</b> Freitag, 11. November 2022 00:53<br>
<b>To:</b> CA/B Forum Server Certificate WG Public
Discussion List <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br>
<b>Subject:</b> Re: [Servercert-wg] Proposal to
Incorporate Mozilla's CRL Revocation Reason Code
Requirements into the BRs</span></p>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">All,</p>
</div>
<div>
<p class="MsoNormal">Here is another iteration of a
proposal to incorporate Mozilla's CRL reason code
requirements into the Baseline Requirements.
</p>
</div>
<div>
<p class="MsoNormal">I am open to your suggestions
and recommendations on how to make this better.
</p>
</div>
<div>
<p class="MsoNormal">I'll put another draft in
GitHub again after I receive feedback.</p>
</div>
<div>
<p class="MsoNormal">Thanks,</p>
</div>
<div>
<p class="MsoNormal">Ben</p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Tue, Sep 20, 2022 at 10:16
PM Ben Wilson via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
wrote:</p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal">Hi Corey,</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">See responses below.</p>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Wed, Sep 14, 2022 at
11:38 AM Corey Bonnell <<a href="mailto:Corey.Bonnell@digicert.com" target="_blank">Corey.Bonnell@digicert.com</a>>
wrote:</p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Hi
Ben,</span></p>
<p class="MsoNormal"><span lang="EN-US">It
appears the ballot text has
potential divergences from the
published MRSP:</span></p>
<p class="MsoNormal"><span lang="EN-US">
</span></p>
</div>
</div>
</div>
</blockquote>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">1.
This ballot prohibits other
CRLReasons from appearing in CRLs.
This is meaningfully different from
MRSP, where the new requirements are
applicable solely to revocations
that occur on or after the effective
date.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> I think this can be
fixed with some language changes.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">2.
There is no requirement to document
reason codes in the Subscriber
Agreement, whereas there is in MRSP.
Is this change intentional?</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Not exactly an
intentional elimination of the requirement,
but I can make the ballot consistent with
the MRSP with some language changes as well.
My idea was to suggest that CAs could
incorporate the necessary information "by
reference" so that the CRL reason code
explanations wouldn't have to appear fully
in Subscriber Agreements or Terms of Use.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">3.
Regarding 24-hour revocation reason
#5: it appears that
privilegeWithdrawn is now allowed.
According to MRSP, only superseded
is appropriate for this case.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">For consistency, I'll
change this to superseded only. </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">4.
Regarding 5-day revocation reason
#9: this is not a scenario listed in
MRSP. In other words, this
revocation scenario must be denoted
as “unspecified” as the CRLReason
under MRSP. Therefore, it is not
possible to satisfy both the
proposed BR text and MRSP.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">That's probably the
approach to take - thanks. Another
possibility is to move this revocation
reason down to 4.9.1.2 - CAs should revoke
the intermediate CA certificate(s) rather
than all end entity certificates.
</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">5.
Regarding 5-day revocation reason
#10: this appears to be like
scenario #7, but it is different in
that revocation may be required even
if there’s no violation of the
CP/CPS. I don’t think this scenario
is enumerated in MRSP, so it is not
possible to specify a reason code
that satisfies both MRSP and this
ballot for this scenario.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Kathleen and I think that
this reason is in the MRSP under the section
for the superseded CRLReason - "the CA
operator has revoked the certificate for
compliance reasons such as the certificate
does not comply with this policy, the
CA/Browser Forum's Baseline Requirements, or
the CA operator’s CP or CPS". </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">More
generally, the Defined Term
“Certificate” should be used
throughout the ballot for
consistency.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Agreed. Thanks.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">Thanks,</span></p>
<p class="MsoNormal"><span lang="EN-US">Corey</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Thanks,</p>
</div>
<div>
<p class="MsoNormal">Ben </p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div style="border-style:solid none none;border-width:1pt medium medium;padding:3pt 0cm 0cm;border-color:currentcolor">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank">servercert-wg-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Ben Wilson
via Servercert-wg<br>
<b>Sent:</b> Tuesday, September
13, 2022 11:37 PM<br>
<b>To:</b> Ben Wilson <<a href="mailto:bwilson@mozilla.com" target="_blank">bwilson@mozilla.com</a>>;
CA/B Forum Server Certificate WG
Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br>
<b>Subject:</b> Re:
[Servercert-wg] Proposal to
Incorporate Mozilla's CRL
Revocation Reason Code
Requirements into the BRs</span></p>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Here is the most
current comparison:</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2Fbbca71465ed8a8a76383086039f52c750009286a..1699612e5157423f607d67cc8ab9dc3a1d52b318&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6U2qShXXY%2FWlUn2vWCqq0YB8yQAQxEiQXejzc6pCawE%3D&reserved=0" target="_blank">https://github.com/cabforum/servercert/compare/bbca71465ed8a8a76383086039f52c750009286a..1699612e5157423f607d67cc8ab9dc3a1d52b318</a></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On Mon, Sep 12,
2022 at 11:00 AM Ben Wilson <<a href="mailto:bwilson@mozilla.com" target="_blank">bwilson@mozilla.com</a>>
wrote:</span></p>
</div>
<blockquote style="border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt 4.8pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Here is another
edit that tries to make
minimal changes to BR
section 4.9.1.1.</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><a href="http://goog_144053405" target="_blank"><br>
</a></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fservercert%2Fcommit%2F94a07d08855cf489a2bdddff7d8a9490969d5d06&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=h0d4CsixQeyG7GMzM2nqO3ScDRRM1EomVg%2BuwI3lBIc%3D&reserved=0" target="_blank">https://github.com/BenWilson-Mozilla/servercert/commit/94a07d08855cf489a2bdddff7d8a9490969d5d06</a></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On Mon, Sep 12,
2022 at 9:51 AM Ben Wilson
via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
wrote:</span></p>
</div>
<blockquote style="border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt 4.8pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Thanks,
Dimitris. I'll work on
that approach and get
something back to you
soon.</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On Mon, Sep
12, 2022 at 2:56 AM
Dimitris Zacharopoulos
(HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank">dzacharo@harica.gr</a>> wrote:</span></p>
</div>
<blockquote style="border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt 4.8pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<p class="MsoNormal"><span lang="EN-US">Hi Ben,<br>
<br>
After a quick reading,
I noticed that the
subsections are not
symmetrical and a bit
inconsistent. For
example, some of them
contain the statement
"the CA SHOULD revoke
a certificate within
24 hours and MUST
revoke a Certificate
within 5 days", some
do not.<br>
<br>
Other examples:</span></p>
<ul type="disc">
<li class="MsoNormal">
<span lang="EN-US">4.9.1.1.1,
is labeled
"Subscriber-Requested
Revocation", however
there are other
subsections that are
also
"Subscriber-Requested".
This separation
seems confusing.</span></li>
<li class="MsoNormal">
<span lang="EN-US">4.9.1.1.4
is about unreliable
validation but most
of the remaining
subsections are
titled after the RFC
5280 revocation
reasons.</span></li>
</ul>
<p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-US">Finally,
it's not very clear
when the "unspecified
(0)" reason must be
used because of
section 4.9.1.1.8
(Other Circumstances)
which doesn't point to
a revocation reason.<br>
<br>
>From my
perspective, I'm not
sure if breaking down
each subsection is
more helpful for
reading the revocation
requirements than the
current listing. I
understand there is a
desire to copy the
MRSP language as much
as possible but
perhaps we need to
consider a less
"intrusive" set of
changes to a section
that CAs already have
a difficult time
reading and
implementing.<br>
<br>
IMO we either need to
describe the
revocation scenario
and point to the RFC
5280 revocation reason
(closer to what the
BRs have today), or
start with the RFC
5280 revocation
reasons and enumerate
the revocation
scenarios (closer to
what MRSP has today).
I find it confusing to
mix the two
approaches.<br>
<br>
<br>
Thanks,<br>
Dimitris.</span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">On
12/9/2022 6:32 π.μ.,
Ben Wilson wrote:</span></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">For
review - here is
another proposal
that takes BR
section 4.9.1.1
and puts the
24-hour and
5-day revocation
times into
subsections that
match the CRL
reason codes. </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fservercert%2Fcommit%2Fb185a28fcc20d5853747e4506103823e3dc7c282&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=opmFVkFFcOqc3DWpy%2BwP%2B79ihMxBOPnZE34AGDSKjWY%3D&reserved=0" target="_blank">https://github.com/BenWilson-Mozilla/servercert/commit/b185a28fcc20d5853747e4506103823e3dc7c282</a></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On
Thu, Sep 8, 2022
at 12:05 PM
Dimitris
Zacharopoulos
(HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank">dzacharo@harica.gr</a>> wrote:</span></p>
</div>
<blockquote style="border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt 4.8pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-US">Good point.<br>
<br>
s/<i>expected/shall
use/<br>
<br>
</i></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">On
8/9/2022 8:26
μ.μ., Tim
Hollebeek
wrote:</span></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<p class="MsoNormal"><span lang="EN-US">I
would prefer
standard 2119
language
instead of an
“expectation”. There are no documented rules for what it means for a
CRLReason to
be expected to
be a certain
value.</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">-Tim</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div style="border-style:none none none solid;border-width:medium medium medium 1.5pt;padding:0cm 0cm 0cm 4pt;border-color:currentcolor currentcolor currentcolor blue">
<div>
<div style="border-style:solid none none;border-width:1pt medium medium;padding:3pt 0cm 0cm;border-color:currentcolor">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US">
Servercert-wg
<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank"><servercert-wg-bounces@cabforum.org></a>
<b>On Behalf
Of </b>Dimitris
Zacharopoulos
(HARICA) via
Servercert-wg<br>
<b>Sent:</b>
Thursday,
September 8,
2022 3:21 AM<br>
<b>To:</b> Ben
Wilson <a href="mailto:bwilson@mozilla.com" target="_blank"><bwilson@mozilla.com></a>;
CA/B Forum
Server
Certificate WG
Public
Discussion
List
<a href="mailto:servercert-wg@cabforum.org" target="_blank"><servercert-wg@cabforum.org></a><br>
<b>Subject:</b>
Re:
[Servercert-wg]
Proposal to
Incorporate
Mozilla's CRL
Revocation
Reason Code
Requirements
into the BRs</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-US"> </span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">On
7/9/2022 8:22
μ.μ., Ben
Wilson wrote:</span></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Good
suggestion. I
can re-work a
proposal that
re-writes BR
sec. 4.9.1.1
to re-group
the revocation
reasons into
the reason
codes that
should be
used. Is that
what you were
thinking? </span></p>
</div>
</div>
</blockquote>
<p class="MsoNormal"><span lang="EN-US"><br>
Yes. We should
also try to
keep the
current BRs
prioritization.
The section
begins with
the cases
where the
Certificate(s)
need to be
revoked within
24h and then
moves to the
5-day
revocation
cases.<br>
<br>
We could walk
this list down
making sure
that all
Mozilla cases
are listed
(add the ones
that are not)
and add the
expected
revocationReason
for each case.
For example:</span></p>
<p><i><span lang="EN-US">The
CA SHALL
revoke a
Certificate
within 24
hours if one
or more of the
following
occurs:</span></i><span lang="EN-US"></span></p>
<ol type="1" start="1">
<li class="MsoNormal">
<i><span lang="EN-US">The
Subscriber
requests in
writing that
the CA revoke
the
Certificate
(expected
CRLReason:<b>unspecified</b>);</span></i><span lang="EN-US"></span></li>
<li class="MsoNormal">
<i><span lang="EN-US">The
Subscriber
notifies the
CA that the
original
certificate
request was
not authorized
and does not
retroactively
grant
authorization
(expected
CRLReason:</span></i><b><i><span style="font-family:"Calibri",sans-serif" lang="EN-US">privilegeWithdrawn</span></i></b><i><span lang="EN-US">);</span></i><span lang="EN-US"></span></li>
<li class="MsoNormal">
<i><span lang="EN-US">The
CA obtains
evidence that
the
Subscriber's
Private Key
corresponding
to the Public
Key in the
Certificate
suffered a Key
Compromise
(expected
CRLReason:<b>keyCompromise</b>);</span></i><span lang="EN-US"></span></li>
<li class="MsoNormal">
<i><span lang="EN-US">The
CA is made
aware of a
demonstrated
or proven
method that
can easily
compute the
Subscriber's
Private Key
based on the
Public Key in
the
Certificate
(such as a
Debian weak
key, see
</span></i><span lang="EN-US"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FV7HivQUf9v8s2xTxi1rVgVbg7XfH9TtU4RjlKL0T6c%3D&reserved=0" target="_blank"><i>https://wiki.debian.org/SSLkeys</i></a><i>)
(expected
CRLReason:<b>keyCompromise</b>);</i></span></li>
<li class="MsoNormal">
<i><span lang="EN-US">The
CA obtains
evidence that
the validation
of domain
authorization
or control for
any
Fully-Qualified
Domain Name or
IP address in
the
Certificate
should not be
relied upon
(expected
CRLReason:
</span></i><b><i><span style="font-family:"Calibri",sans-serif" lang="EN-US">superseded</span></i></b><i><span lang="EN-US">).</span></i><span lang="EN-US"></span></li>
</ol>
<p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-US">and so on.<br>
<br>
Does that
work?<br>
<br>
Dimitris.</span></p>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Thanks,</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On
Wed, Sep 7,
2022 at 6:01
AM Dimitris
Zacharopoulos
(HARICA) via
Servercert-wg
<<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
wrote:</span></p>
</div>
<blockquote style="border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt 4.8pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-US">Hi Ben,<br>
<br>
I believe the
proposal, as
written,
causes
confusion in
regards to
4.9.1.1. Some
of the reasons
described in
your proposal
are already
mentioned in
4.9.1.1.
Perhaps we
should work
some more to
"unify" the
two sections.<br>
<br>
My proposal
would be to
update 4.9.1.1
and include
the expected
CRLReason
after each
case.<br>
<br>
<br>
Thoughts?<br>
Dimitris.</span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">On
6/9/2022 8:13
μ.μ., Ben
Wilson via
Servercert-wg
wrote:</span></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">All,</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">I'm
looking for
one more
endorser.</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Thanks,</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On
Fri, Jul 29,
2022 at 12:40
PM Ben Wilson
via
Servercert-wg
<<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
wrote:</span></p>
</div>
<blockquote style="border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt 4.8pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">All,</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">I
have created a
proposal in
Github to
incorporate
Mozilla's CRL
Revocation
Reason Code
requirements
into the
Baseline
Requirements.
</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">See
<a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fissues%2F377&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=D4KPoI9FuCxKdr9yp378P8kEzjJq9wX%2FUEj%2F0SDufv4%3D&reserved=0" target="_blank">
https://github.com/cabforum/servercert/issues/377</a></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fservercert%2Fcommit%2F52a480803beff1f96d61c4b6d76570ac7adff4d5&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LOfjUsptzgpQxI1k6K8oUgU0aj2LDncd48ZzuXe86Hs%3D&reserved=0" target="_blank">https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5</a></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">I'm
looking for
comments,
suggestions,
and two
endorsers.</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Thanks,</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US">_______________________________________________<br>
Servercert-wg
mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></p>
</blockquote>
</div>
<p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-US"> </span></p>
<pre><span lang="EN-US">_______________________________________________</span></pre>
<pre><span lang="EN-US">Servercert-wg mailing list</span></pre>
<pre><span lang="EN-US"><a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a></span></pre>
<pre><span lang="EN-US"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></pre>
</blockquote>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<p class="MsoNormal"><span lang="EN-US">_______________________________________________<br>
Servercert-wg
mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></p>
</blockquote>
</div>
</blockquote>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
</div>
</blockquote>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
</blockquote>
</div>
</blockquote>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><span lang="EN-US">_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></p>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688965625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rOfjT8%2B0oEL1XaQtLBTQ5EQOkSK3lJR0AbU1lVyZF68%3D&reserved=0" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></p>
</blockquote>
</div>
</div>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</div>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Servercert-wg mailing list
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote></div>