<div dir="ltr">Ryan,<div><br></div><div>Thanks for the PR with proposed ballot updates! I've left more comments directly on it, some tiny and some slightly more substantive continuations of the conversations here and on the other thread.</div><div><br></div><div>Aaron</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, May 3, 2023 at 10:38 AM Ryan Dickson <<a href="mailto:ryandickson@google.com" target="_blank">ryandickson@google.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><span style="background:transparent;margin-top:0pt;margin-bottom:0pt">Hi Paul,</span></p><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><br></p><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><span style="background:transparent;margin-top:0pt;margin-bottom:0pt">I appreciate that perspective and will take it under continued consideration. </span></p><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><br></p><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><span style="background:transparent;margin-top:0pt;margin-bottom:0pt">That same perspective was carefully considered while drafting the Ballot and in discussions with community members since introducing the proposal at F2F 56. </span></p><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><br></p><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><span style="background:transparent;margin-top:0pt;margin-bottom:0pt">However, I see all of these efforts tightly commingled and splitting the Ballot into smaller pieces:</span></p><ul><li><span style="background-color:transparent;color:rgb(14,16,26)">Increases ambiguity.</span></li><li><span style="background-color:transparent;color:rgb(14,16,26)">Causes unnecessary administrative burden. It takes a meaningful amount of effort and time to propose, discuss, vote, and adopt updates to the BRs. Consolidating and/or reducing that effort should be prioritized when possible.</span></li><li><span style="background-color:transparent;color:rgb(14,16,26)">Commits the group to future review/comment periods that, in my opinion, ultimately hold us back from pursuing other important ballot work (like what we hope to accomplish with Multi-Perspective Domain Validation, refreshing the EVGs, etc.)</span></li></ul><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><br></p><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><span style="background:transparent;margin-top:0pt;margin-bottom:0pt">Given that the group successfully navigated the complexity of SC-62, I'm hopeful we can continue working together to do the same with this Ballot. If it becomes clear that this is not possible, I'll re-evaluate this approach and change course. </span></p><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><br></p><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><span style="background:transparent;margin-top:0pt;margin-bottom:0pt">Thanks again for your feedback.</span></p><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><br></p><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><span style="background:transparent;margin-top:0pt;margin-bottom:0pt">- Ryan</span></p><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><br></p><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"></p></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, May 3, 2023 at 11:54 AM Paul van Brouwershaven <<a href="mailto:Paul.vanBrouwershaven@entrust.com" target="_blank">Paul.vanBrouwershaven@entrust.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Hi Ryan,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Would it be possible to split this ballot by topic into separate ballots, for example like:</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<ul>
<li><span>CRL Profiles</span></li><li><span>Make OCSP Optional (require a CRL or OCSP to be included)<br>
</span></li><li><span>Require CRLs<br>
</span></li><li><span>Short-Lived Certificates<br>
</span></li></ul>
<div><span><span style="background-color:rgb(255,255,255);display:inline">I think this combined ballot makes it too complicated to manage and have a fruitful discussion about the
implications of each change.</span><br>
</span></div>
<div><span><span style="background-color:rgb(255,255,255);display:inline"><br>
</span></span></div>
<div><span>Paul</span></div>
<div><span><br>
</span></div>
<div><span><br>
</span></div>
</div>
<div id="m_-2253391816514652259m_2650753483995849701m_-2386580048488382690m_-867252397679114134appendonsend"></div>
<hr style="display:inline-block;width:98%">
<div id="m_-2253391816514652259m_2650753483995849701m_-2386580048488382690m_-867252397679114134divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank">servercert-wg-bounces@cabforum.org</a>> on behalf of Ryan Dickson via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br>
<b>Sent:</b> Wednesday, May 3, 2023 16:00<br>
<b>To:</b> Aaron Gable <<a href="mailto:aaron@letsencrypt.org" target="_blank">aaron@letsencrypt.org</a>><br>
<b>Cc:</b> CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br>
<b>Subject:</b> [EXTERNAL] Re: [Servercert-wg] Discussion Period Begins - Ballot SC-063: “Make OCSP Optional and Incentivize Automation”</font>
<div> </div>
</div>
<div>WARNING: This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.<br>
<hr>
<div dir="ltr">
<div dir="ltr"><span id="m_-2253391816514652259m_2650753483995849701m_-2386580048488382690m_-867252397679114134x_m_3062820874607351244gmail-docs-internal-guid-078c7913-7fff-67f3-0be6-dc73c0788557">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Hi
all,</span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Thanks
for the discussion thus far. </span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">In
hopes of making it easier for others to follow along with and contribute to the discussion, I added a summary to the ballot background and justification
</span><a href="https://urldefense.com/v3/__https://docs.google.com/document/d/180T6cDSWPy54Rb5d6R4zN7MuLEMShaZ4IRLQgdPqE98/edit*bookmark=id.ceedtvdz1590__;Iw!!FJ-Y8qCqXTj2!f6JiZayyK01P2H7iQEXTI1JymI9pvfoMIwUlQ_0oCkImdAxBIbMNrJdLvvMEK1qIVaozcPbKw1hNHUvpGzEY4RitoYBE1fDgfNxN$" style="text-decoration-line:none" target="_blank"><span style="font-family:Arial;color:rgb(74,110,224);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">document</span></a><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">.
I can continue to generate these summaries from time to time if they are helpful to members of our community.</span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">If
I’ve missed or misinterpreted anything in the summary, please:</span></p>
<ol style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:decimal;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">
<p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">
<span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">accept my apologies in advance</span></p>
</li><li dir="ltr" style="list-style-type:decimal;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">
<p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">
<span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">offer clarification (feel free to comment directly on the doc and I’ll make
the necessary updates)</span></p>
</li></ol>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Also,
I’ve attempted to summarize unaddressed questions and comments below, adding clarification where possible.</span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">Questions
and Comments:</span></p>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> </span></p>
<ol style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:decimal;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">
<p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">
<span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">[Dimitris/Aaron] Should CAs not issuing certificates be required to issue
(at least) daily CRLs as required in the proposed text? Why should a CA publish a new CRL if it hasn’t revoked a certificate since the last one?</span></p>
</li></ol>
<ul style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:36pt">
<p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">
<span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">New Response: It seems worth exploring the “carve-out” described by Dimitris
and Aaron. Alternative language proposed </span><a href="https://urldefense.com/v3/__https://github.com/ryancdickson/staging/pull/3/files__;!!FJ-Y8qCqXTj2!f6JiZayyK01P2H7iQEXTI1JymI9pvfoMIwUlQ_0oCkImdAxBIbMNrJdLvvMEK1qIVaozcPbKw1hNHUvpGzEY4RitoYBE1W5r6T1p$" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">here</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">
attempts to specify when initial CRL publication must occur, ongoing issuance requirements, and when CAs may stop issuing CRLs. [Note, please feel welcome to offer suggested changes on the PR linked above].</span></p>
</li></ul>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> </span></p>
<ol start="2" style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:decimal;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">
<p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">
<span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">[Aaron] Made some editorial comments that I’ll work on in
</span><a href="https://urldefense.com/v3/__https://github.com/ryancdickson/staging/tree/make-ocsp-optional-updates__;!!FJ-Y8qCqXTj2!f6JiZayyK01P2H7iQEXTI1JymI9pvfoMIwUlQ_0oCkImdAxBIbMNrJdLvvMEK1qIVaozcPbKw1hNHUvpGzEY4RitoYBE1WizfJKr$" style="text-decoration-line:none" target="_blank"><span style="color:rgb(74,110,224);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">this</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">
branch.</span></p>
</li></ol>
<br>
<ol start="3" style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:decimal;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">
<p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">
<span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">[Aaron] What does it mean to “support on-line revocation checking via OCSP”?</span></p>
</li></ol>
<ul style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:36pt">
<p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">
<span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">New Response: Alternative language proposed
</span><a href="https://urldefense.com/v3/__https://github.com/ryancdickson/staging/commit/1bc7e08cc403a25db874d4fb56af7ca46571406c__;!!FJ-Y8qCqXTj2!f6JiZayyK01P2H7iQEXTI1JymI9pvfoMIwUlQ_0oCkImdAxBIbMNrJdLvvMEK1qIVaozcPbKw1hNHUvpGzEY4RitoYBE1a-r6IpA$" style="text-decoration-line:none" target="_blank"><span style="color:rgb(74,110,224);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">here</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">
attempts to clarify this language.</span></p>
</li></ul>
<br>
<ol start="4" style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:decimal;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">
<p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">
<span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">[Aaron] Can we discuss the motivations behind prohibiting the use of “indirect
CRLs”?</span></p>
</li></ol>
<ul style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:36pt">
<p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">
<span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">New Response: Though Aaron closed this issue, some final clarifications. While
preparing the CRL Profile included in the proposal, we downloaded all CRLs disclosed to CCADB. We observed no instances of indirectCRLs in use today. Given our understanding of the language in SC-62 described by Corey, our opinion that indirect CRLs increase
the complexity of the Web PKI, the absence of CAs relying on this practice, and given
</span><a href="https://urldefense.com/v3/__https://source.chromium.org/chromium/chromium/src/*/refs/heads/main:net/cert/internal/revocation_checker.cc;l=167-169;drc=e39fffa6900a679961f5992b8f24a084853b811a__;Kw!!FJ-Y8qCqXTj2!f6JiZayyK01P2H7iQEXTI1JymI9pvfoMIwUlQ_0oCkImdAxBIbMNrJdLvvMEK1qIVaozcPbKw1hNHUvpGzEY4RitoYBE1UIXJysa$" style="text-decoration-line:none" target="_blank"><span style="color:rgb(74,110,224);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">Chrome</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">
and likely other consumers do not support this practice, a clear prohibition felt in the best interest of this community to help standardize expected behavior.</span></p>
</li></ul>
<br>
<ol start="5" style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:decimal;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">
<p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">
<span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">[Aaron] Can CA owners share:</span></p>
</li></ol>
<ul style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:36pt">
<p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">
<span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">How many certificates you have which embed a CRLDP?</span></p>
</li><ul style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:square;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:36pt">
<p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">
<span style="color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">New Response: While not a CA, I was hoping to help offer
additional context using the Censys queries outlined </span><a href="https://urldefense.com/v3/__https://docs.google.com/spreadsheets/d/1oHWJTlVuZIhOwTE9lsx4iT4UsA0C_tP7mGEHW9nfwII/edit*gid=0__;Iw!!FJ-Y8qCqXTj2!f6JiZayyK01P2H7iQEXTI1JymI9pvfoMIwUlQ_0oCkImdAxBIbMNrJdLvvMEK1qIVaozcPbKw1hNHUvpGzEY4RitoYBE1aXfOMjw$" style="text-decoration-line:none" target="_blank"><span style="color:rgb(74,110,224);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">here</span></a><span style="color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">.
My interpretation of the results is that ~36% of all time-valid leafs asserting a BR certificate policy OID contain a CRLDP, and that ~88% of the CAs issuing those leafs include CRLDP by default on 100% of certs issued that assert a BR policy OID (i.e., the
set of CAs capable of turning down OCSP services as described in the ballot). Feedback on the queries to offer more accurate results are welcome.</span></p>
</li></ul>
</ul>
<ul style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:36pt">
<p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">
<span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">How many requests-per-second you receive for that CRLDP as a result?</span></p>
</li><ul style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:square;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:36pt">
<p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">
<span style="color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">[not yet addressed]</span></p>
</li></ul>
</ul>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> </span></p>
<ol start="6" style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:decimal;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">
<p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">
<span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">[Wayne] Expressed concern that the ballot does not prevent CAs from sharding
CRLs to the point that individual sites are easily or exclusively identified, so even allowing cRLDPs in end-entity certificates seems to violate the purpose of this ballot.</span></p>
</li></ol>
<ul style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:36pt">
<p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">
<span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">New Response: It’s unclear why a CA would be incentivized to do this, but
it is a valid point. Short of authoritatively describing accepted conditions (e.g., based on certificate issuance time) and minimal thresholds for sharding (e.g., minimally 100 certificates assigned to each CRLDP), I’m unsure how we might prevent this practice.
Do others share this same concern or have ideas as to how we can reduce this unintended outcome?</span></p>
</li></ul>
<br>
<ol start="7" style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:decimal;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">
<p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">
<span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">[Wayne] Is there some other reason to begin requiring cRLDPs if the CA chooses
to operate an OCSP service after this ballot goes into effect?</span></p>
</li></ol>
<ul style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:36pt">
<p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">
<span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">New Response: This is a fair point, and now it helps me better understand
the perspective from Tim H. at the last SCWG meeting (sorry for misunderstanding your point at that time, Tim!). I agree - if the subscriber certificate contains an OCSP URI, it should not also be required to include CRLDP. Alternative language proposed
</span><a href="https://urldefense.com/v3/__https://github.com/ryancdickson/staging/commit/2ab659ca36ab0f72318c5b9bec1121cd389f1035__;!!FJ-Y8qCqXTj2!f6JiZayyK01P2H7iQEXTI1JymI9pvfoMIwUlQ_0oCkImdAxBIbMNrJdLvvMEK1qIVaozcPbKw1hNHUvpGzEY4RitoYBE1SyJRRfP$" style="text-decoration-line:none" target="_blank"><span style="color:rgb(74,110,224);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">here</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">
attempts to offer this flexibility. </span></p>
</li></ul>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Thanks
again,</span></p>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Ryan</span></p>
</span><br>
</div>
<br>
<div>
<div dir="ltr">On Tue, May 2, 2023 at 4:44 PM Aaron Gable <<a href="mailto:aaron@letsencrypt.org" target="_blank">aaron@letsencrypt.org</a>> wrote:<br>
</div>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Fair enough, thanks for the info! I'm convinced that explicitly disallowing indirect CRLs in this ballot is fine.
<div><br>
</div>
<div>Aaron</div>
</div>
<br>
<div>
<div dir="ltr">On Tue, May 2, 2023 at 2:00 AM Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank">dzacharo@harica.gr</a>> wrote:<br>
</div>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
<br>
On 27/4/2023 8:57 μ.μ., Aaron Gable via Servercert-wg wrote:<br>
> I believe that CAs have generally found that Delegated OCSP Signers <br>
> cause more trouble than they're worth, and the same is likely true for <br>
> Delegated CRL Issuers<br>
<br>
Hello Aaron,<br>
<br>
I don't think there is evidence to support this claim about delegated <br>
OCSP Signers. I am aware of a number of CAs that still use and prefer <br>
the delegated OCSP responder model over the pre-signed responses model.<br>
<br>
However, I am not aware of any CA that uses delegated CRL issuers and <br>
perhaps it's not even supported by the existing Browsers.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
<i>Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the
information it contains. <u>Please notify Entrust immediately</u> and delete the message from your system.</i>
</div>
</div></blockquote></div>
</blockquote></div>