<div dir="ltr"><div>Sounds good. Thanks, Dimitris.</div><div>Ben<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Nov 16, 2022 at 11:23 PM Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr">dzacharo@harica.gr</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<br>
<br>
<div>On 15/11/2022 6:11 μ.μ., Ben Wilson
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">That could simplify it, but Mozilla's CRL Reason
Code rules would still supersede that section.<br>
</div>
</blockquote>
<br>
I don't see it as "superseding" but differently "presented". Mozilla
chose that particular presentation format without taking into
consideration the time limits for revocation. <a href="https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md#611-end-entity-tls-certificate-crlrevocation-reasons" target="_blank">MRSP
</a>only mentions the reasons and expectations for using such
reasons. The BRs are more explicit in the use cases and it's more
important for the CA to know which cases must be revoked within 24
hours and which ones must be revoked within 5 days. It's a better
"starting point" for CAs, and that's that they are used to follow. <br>
<br>
I believe we can successfully update 4.9.1.1 to aligned with MRSP
section 6.1 without changing the current presentation format of
revocation use cases in the BRs. If you are open to the idea, I can
work with you on a more concrete proposal and see how it looks.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<blockquote type="cite"><br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Nov 15, 2022 at 2:22
AM Dimitris Zacharopoulos (HARICA) via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div>On 15/11/2022 1:02 π.μ., Ben Wilson via Servercert-wg
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Thanks.</div>
<div><br>
</div>
<div>Any additional thoughts, recommendations, etc.?</div>
</div>
</blockquote>
<br>
Hi Ben,<br>
<br>
I assume that the use cases described within the parenthesis
under 4.9.1.1 are "examples" which means that the "i.e."
should be replaced with "e.g.". <br>
<br>
I am not very much in favor of the breakown of subsections
for each revocation reasonCode which repeats the language
"SHOULD revoke within 24 hours and SHALL revoke within 5
days" in various cases, and gets especially confusing when
the Subscriber requests in writing, which can apply to
several reasonCodes.<br>
<br>
The previous attempt keeping the existing structure that
CAs/Auditors are already familiar with, seems like a better
approach. That's because CAs already have controls in place
to handle "specific revocation use cases" as they are listed
in the current sections 4.9.1.1 and 4.9.1.2. All we need to
do now is map those known cases to a specific RFC5280
reasonCode.<br>
<br>
If additional revocation use cases have been documented in
MRSP, we can add those in <a href="http://4.9.1.1/2" target="_blank">4.9.1.1/2</a> as
needed.<br>
<br>
What do others think? Should we try to minimize the changes
to 4.9.1.1 and 4.9.1.2 or do a complete restructuring?<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Ben<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Nov 10, 2022
at 11:33 PM Roman Fischer via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div lang="DE">
<div>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif">Dear
Ben,</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US">Thanks for your effort to make
it better understandable. Even for me as a
non-native speaker it’s now much clearer
when to use which reasonCode (but it’s still
very complex!).</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US">Could the section</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">** The
privilegeWithdrawn reasonCode <span style="background:yellow"> does not need
to be made available</span> to the
Subscriber as a revocation reason option,
because the use of this reasonCode is
determined by the CA and not the Subscriber.</span><span style="font-size:11pt" lang="EN-US"></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US">be reformulated to use one of
the RFC 2119 terms? Maybe your intention was
“SHALL NOT be made available”?</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US">Kind regards<br>
Roman Fischer, SwissSign</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US"> </span></p>
<div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US">From:</span></b><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US"> Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank">servercert-wg-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Ben Wilson via
Servercert-wg<br>
<b>Sent:</b> Freitag, 11. November 2022
00:53<br>
<b>To:</b> CA/B Forum Server Certificate
WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br>
<b>Subject:</b> Re: [Servercert-wg]
Proposal to Incorporate Mozilla's CRL
Revocation Reason Code Requirements into
the BRs</span></p>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">All,</p>
</div>
<div>
<p class="MsoNormal">Here is another
iteration of a proposal to incorporate
Mozilla's CRL reason code requirements
into the Baseline Requirements. </p>
</div>
<div>
<p class="MsoNormal">I am open to your
suggestions and recommendations on how to
make this better. </p>
</div>
<div>
<p class="MsoNormal">I'll put another draft
in GitHub again after I receive feedback.</p>
</div>
<div>
<p class="MsoNormal">Thanks,</p>
</div>
<div>
<p class="MsoNormal">Ben</p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Tue, Sep 20, 2022 at
10:16 PM Ben Wilson via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
wrote:</p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal">Hi Corey,</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">See responses
below.</p>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Wed, Sep 14,
2022 at 11:38 AM Corey Bonnell <<a href="mailto:Corey.Bonnell@digicert.com" target="_blank">Corey.Bonnell@digicert.com</a>>
wrote:</p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Hi Ben,</span></p>
<p class="MsoNormal"><span lang="EN-US">It appears the
ballot text has potential
divergences from the
published MRSP:</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
</div>
</div>
</blockquote>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">1. This ballot
prohibits other CRLReasons
from appearing in CRLs. This
is meaningfully different
from MRSP, where the new
requirements are applicable
solely to revocations that
occur on or after the
effective date.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> I think this can
be fixed with some language changes.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">2. There is no
requirement to document
reason codes in the
Subscriber Agreement,
whereas there is in MRSP. Is
this change intentional?</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Not exactly an
intentional elimination of the
requirement, but I can make the
ballot consistent with the MRSP with
some language changes as well. My
idea was to suggest that CAs could
incorporate the necessary
information "by reference" so that
the CRL reason code explanations
wouldn't have to appear fully in
Subscriber Agreements or Terms of
Use.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">3. Regarding
24-hour revocation reason
#5: it appears that
privilegeWithdrawn is now
allowed. According to MRSP,
only superseded is
appropriate for this case.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">For consistency,
I'll change this to superseded only.
</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">4. Regarding
5-day revocation reason #9:
this is not a scenario
listed in MRSP. In other
words, this revocation
scenario must be denoted as
“unspecified” as the
CRLReason under MRSP.
Therefore, it is not
possible to satisfy both the
proposed BR text and MRSP.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">That's probably
the approach to take - thanks.
Another possibility is to move this
revocation reason down to 4.9.1.2 -
CAs should revoke the intermediate
CA certificate(s) rather than all
end entity certificates. </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">5. Regarding
5-day revocation reason #10:
this appears to be like
scenario #7, but it is
different in that revocation
may be required even if
there’s no violation of the
CP/CPS. I don’t think this
scenario is enumerated in
MRSP, so it is not possible
to specify a reason code
that satisfies both MRSP and
this ballot for this
scenario.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Kathleen and I
think that this reason is in the
MRSP under the section for the
superseded CRLReason - "the CA
operator has revoked the certificate
for compliance reasons such as the
certificate does not comply with
this policy, the CA/Browser Forum's
Baseline Requirements, or the CA
operator’s CP or CPS". </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">More generally,
the Defined Term
“Certificate” should be used
throughout the ballot for
consistency.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Agreed. Thanks.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">Thanks,</span></p>
<p class="MsoNormal"><span lang="EN-US">Corey</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Thanks,</p>
</div>
<div>
<p class="MsoNormal">Ben </p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div style="border-style:solid none none;border-width:1pt medium medium;padding:3pt 0cm 0cm;border-color:currentcolor">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US">
Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank">servercert-wg-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Ben
Wilson via Servercert-wg<br>
<b>Sent:</b> Tuesday,
September 13, 2022 11:37
PM<br>
<b>To:</b> Ben Wilson <<a href="mailto:bwilson@mozilla.com" target="_blank">bwilson@mozilla.com</a>>; CA/B Forum
Server Certificate WG
Public Discussion List
<<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br>
<b>Subject:</b> Re:
[Servercert-wg] Proposal
to Incorporate Mozilla's
CRL Revocation Reason Code
Requirements into the BRs</span></p>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Here is the
most current comparison:</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2Fbbca71465ed8a8a76383086039f52c750009286a..1699612e5157423f607d67cc8ab9dc3a1d52b318&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6U2qShXXY%2FWlUn2vWCqq0YB8yQAQxEiQXejzc6pCawE%3D&reserved=0" target="_blank">https://github.com/cabforum/servercert/compare/bbca71465ed8a8a76383086039f52c750009286a..1699612e5157423f607d67cc8ab9dc3a1d52b318</a></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On Mon, Sep
12, 2022 at 11:00 AM Ben
Wilson <<a href="mailto:bwilson@mozilla.com" target="_blank">bwilson@mozilla.com</a>> wrote:</span></p>
</div>
<blockquote style="border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt 4.8pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Here is
another edit that
tries to make
minimal changes to
BR section 4.9.1.1.</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><a href="http://goog_144053405" target="_blank"><br>
</a></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fservercert%2Fcommit%2F94a07d08855cf489a2bdddff7d8a9490969d5d06&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=h0d4CsixQeyG7GMzM2nqO3ScDRRM1EomVg%2BuwI3lBIc%3D&reserved=0" target="_blank">https://github.com/BenWilson-Mozilla/servercert/commit/94a07d08855cf489a2bdddff7d8a9490969d5d06</a></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On Mon,
Sep 12, 2022 at 9:51
AM Ben Wilson via
Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>> wrote:</span></p>
</div>
<blockquote style="border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt 4.8pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Thanks,
Dimitris. I'll
work on that
approach and get
something back
to you soon.</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On
Mon, Sep 12,
2022 at 2:56 AM
Dimitris
Zacharopoulos
(HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank">dzacharo@harica.gr</a>> wrote:</span></p>
</div>
<blockquote style="border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt 4.8pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<p class="MsoNormal"><span lang="EN-US">Hi
Ben,<br>
<br>
After a quick
reading, I
noticed that
the
subsections
are not
symmetrical
and a bit
inconsistent.
For example,
some of them
contain the
statement "the
CA SHOULD
revoke a
certificate
within 24
hours and MUST
revoke a
Certificate
within 5
days", some do
not.<br>
<br>
Other
examples:</span></p>
<ul type="disc">
<li class="MsoNormal">
<span lang="EN-US">4.9.1.1.1,
is labeled
"Subscriber-Requested
Revocation",
however there
are other
subsections
that are also
"Subscriber-Requested". This separation seems confusing.</span></li>
<li class="MsoNormal">
<span lang="EN-US">4.9.1.1.4
is about
unreliable
validation but
most of the
remaining
subsections
are titled
after the RFC
5280
revocation
reasons.</span></li>
</ul>
<p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-US">Finally, it's not very
clear when the
"unspecified
(0)" reason
must be used
because of
section
4.9.1.1.8
(Other
Circumstances)
which doesn't
point to a
revocation
reason.<br>
<br>
>From my
perspective,
I'm not sure
if breaking
down each
subsection is
more helpful
for reading
the revocation
requirements
than the
current
listing. I
understand
there is a
desire to copy
the MRSP
language as
much as
possible but
perhaps we
need to
consider a
less
"intrusive"
set of changes
to a section
that CAs
already have a
difficult time
reading and
implementing.<br>
<br>
IMO we either
need to
describe the
revocation
scenario and
point to the
RFC 5280
revocation
reason (closer
to what the
BRs have
today), or
start with the
RFC 5280
revocation
reasons and
enumerate the
revocation
scenarios
(closer to
what MRSP has
today). I find
it confusing
to mix the two
approaches.<br>
<br>
<br>
Thanks,<br>
Dimitris.</span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">On
12/9/2022 6:32
π.μ., Ben
Wilson wrote:</span></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">For
review - here
is another
proposal that
takes BR
section
4.9.1.1 and
puts the
24-hour and
5-day
revocation
times into
subsections
that match the
CRL reason
codes. </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fservercert%2Fcommit%2Fb185a28fcc20d5853747e4506103823e3dc7c282&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=opmFVkFFcOqc3DWpy%2BwP%2B79ihMxBOPnZE34AGDSKjWY%3D&reserved=0" target="_blank">https://github.com/BenWilson-Mozilla/servercert/commit/b185a28fcc20d5853747e4506103823e3dc7c282</a></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On
Thu, Sep 8,
2022 at 12:05
PM Dimitris
Zacharopoulos
(HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank">dzacharo@harica.gr</a>> wrote:</span></p>
</div>
<blockquote style="border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt 4.8pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-US">Good point.<br>
<br>
s/<i>expected/shall
use/<br>
<br>
</i></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">On
8/9/2022 8:26
μ.μ., Tim
Hollebeek
wrote:</span></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<p class="MsoNormal"><span lang="EN-US">I
would prefer
standard 2119
language
instead of an
“expectation”. There are no documented rules for what it means for a
CRLReason to
be expected to
be a certain
value.</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">-Tim</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div style="border-style:none none none solid;border-width:medium medium medium 1.5pt;padding:0cm 0cm 0cm 4pt;border-color:currentcolor currentcolor currentcolor blue">
<div>
<div style="border-style:solid none none;border-width:1pt medium medium;padding:3pt 0cm 0cm;border-color:currentcolor">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US">
Servercert-wg
<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank"><servercert-wg-bounces@cabforum.org></a>
<b>On Behalf
Of </b>Dimitris
Zacharopoulos
(HARICA) via
Servercert-wg<br>
<b>Sent:</b>
Thursday,
September 8,
2022 3:21 AM<br>
<b>To:</b> Ben
Wilson <a href="mailto:bwilson@mozilla.com" target="_blank"><bwilson@mozilla.com></a>;
CA/B Forum
Server
Certificate WG
Public
Discussion
List <a href="mailto:servercert-wg@cabforum.org" target="_blank"><servercert-wg@cabforum.org></a><br>
<b>Subject:</b>
Re:
[Servercert-wg]
Proposal to
Incorporate
Mozilla's CRL
Revocation
Reason Code
Requirements
into the BRs</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-US"> </span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">On
7/9/2022 8:22
μ.μ., Ben
Wilson wrote:</span></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Good
suggestion. I
can re-work a
proposal that
re-writes BR
sec. 4.9.1.1
to re-group
the revocation
reasons into
the reason
codes that
should be
used. Is that
what you were
thinking? </span></p>
</div>
</div>
</blockquote>
<p class="MsoNormal"><span lang="EN-US"><br>
Yes. We should
also try to
keep the
current BRs
prioritization.
The section
begins with
the cases
where the
Certificate(s)
need to be
revoked within
24h and then
moves to the
5-day
revocation
cases.<br>
<br>
We could walk
this list down
making sure
that all
Mozilla cases
are listed
(add the ones
that are not)
and add the
expected
revocationReason
for each case.
For example:</span></p>
<p><i><span lang="EN-US">The
CA SHALL
revoke a
Certificate
within 24
hours if one
or more of the
following
occurs:</span></i><span lang="EN-US"></span></p>
<ol type="1" start="1">
<li class="MsoNormal">
<i><span lang="EN-US">The
Subscriber
requests in
writing that
the CA revoke
the
Certificate
(expected
CRLReason:<b>unspecified</b>);</span></i><span lang="EN-US"></span></li>
<li class="MsoNormal">
<i><span lang="EN-US">The
Subscriber
notifies the
CA that the
original
certificate
request was
not authorized
and does not
retroactively
grant
authorization
(expected
CRLReason:</span></i><b><i><span style="font-family:"Calibri",sans-serif" lang="EN-US">privilegeWithdrawn</span></i></b><i><span lang="EN-US">);</span></i><span lang="EN-US"></span></li>
<li class="MsoNormal">
<i><span lang="EN-US">The
CA obtains
evidence that
the
Subscriber's
Private Key
corresponding
to the Public
Key in the
Certificate
suffered a Key
Compromise
(expected
CRLReason:<b>keyCompromise</b>);</span></i><span lang="EN-US"></span></li>
<li class="MsoNormal">
<i><span lang="EN-US">The
CA is made
aware of a
demonstrated
or proven
method that
can easily
compute the
Subscriber's
Private Key
based on the
Public Key in
the
Certificate
(such as a
Debian weak
key, see </span></i><span lang="EN-US"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FV7HivQUf9v8s2xTxi1rVgVbg7XfH9TtU4RjlKL0T6c%3D&reserved=0" target="_blank"><i>https://wiki.debian.org/SSLkeys</i></a><i>)
(expected
CRLReason:<b>keyCompromise</b>);</i></span></li>
<li class="MsoNormal">
<i><span lang="EN-US">The
CA obtains
evidence that
the validation
of domain
authorization
or control for
any
Fully-Qualified
Domain Name or
IP address in
the
Certificate
should not be
relied upon
(expected
CRLReason: </span></i><b><i><span style="font-family:"Calibri",sans-serif" lang="EN-US">superseded</span></i></b><i><span lang="EN-US">).</span></i><span lang="EN-US"></span></li>
</ol>
<p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-US">and so on.<br>
<br>
Does that
work?<br>
<br>
Dimitris.</span></p>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Thanks,</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On
Wed, Sep 7,
2022 at 6:01
AM Dimitris
Zacharopoulos
(HARICA) via
Servercert-wg
<<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
wrote:</span></p>
</div>
<blockquote style="border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt 4.8pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-US">Hi Ben,<br>
<br>
I believe the
proposal, as
written,
causes
confusion in
regards to
4.9.1.1. Some
of the reasons
described in
your proposal
are already
mentioned in
4.9.1.1.
Perhaps we
should work
some more to
"unify" the
two sections.<br>
<br>
My proposal
would be to
update 4.9.1.1
and include
the expected
CRLReason
after each
case.<br>
<br>
<br>
Thoughts?<br>
Dimitris.</span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">On
6/9/2022 8:13
μ.μ., Ben
Wilson via
Servercert-wg
wrote:</span></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">All,</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">I'm
looking for
one more
endorser.</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Thanks,</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On
Fri, Jul 29,
2022 at 12:40
PM Ben Wilson
via
Servercert-wg
<<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
wrote:</span></p>
</div>
<blockquote style="border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt 4.8pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">All,</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">I
have created a
proposal in
Github to
incorporate
Mozilla's CRL
Revocation
Reason Code
requirements
into the
Baseline
Requirements.
</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">See
<a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fissues%2F377&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=D4KPoI9FuCxKdr9yp378P8kEzjJq9wX%2FUEj%2F0SDufv4%3D&reserved=0" target="_blank">
https://github.com/cabforum/servercert/issues/377</a></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fservercert%2Fcommit%2F52a480803beff1f96d61c4b6d76570ac7adff4d5&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LOfjUsptzgpQxI1k6K8oUgU0aj2LDncd48ZzuXe86Hs%3D&reserved=0" target="_blank">https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5</a></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">I'm
looking for
comments,
suggestions,
and two
endorsers.</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Thanks,</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US">_______________________________________________<br>
Servercert-wg
mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></p>
</blockquote>
</div>
<p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-US"> </span></p>
<pre><span lang="EN-US">_______________________________________________</span></pre>
<pre><span lang="EN-US">Servercert-wg mailing list</span></pre>
<pre><span lang="EN-US"><a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a></span></pre>
<pre><span lang="EN-US"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></pre>
</blockquote>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<p class="MsoNormal"><span lang="EN-US">_______________________________________________<br>
Servercert-wg
mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></p>
</blockquote>
</div>
</blockquote>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
</div>
</blockquote>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
</blockquote>
</div>
</blockquote>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><span lang="EN-US">_______________________________________________<br>
Servercert-wg
mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></p>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688965625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rOfjT8%2B0oEL1XaQtLBTQ5EQOkSK3lJR0AbU1lVyZF68%3D&reserved=0" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></p>
</blockquote>
</div>
</div>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</div>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Servercert-wg mailing list
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote></div>