<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 3/5/2023 11:41 μ.μ., Aaron Gable
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAEmnErfHB5h_i0pDGmd_OBbXXZJMg36sqzZ-tnvUTeM+Jw-o+g@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Oh wait, I did have one additional thought:
<div><br>
</div>
<div>I'm not in favor of allowing CRLs to remain non-updated for
7 days because that is a regression from current OCSP
behavior. Section 4.9.10.(4) makes it so that updated
revocation information is always available "no later than four
days after the thisUpdate". Therefore, a CA operating in a
CRLs-only mode should be required to update their CRLs at
least once every 4 days.</div>
</div>
</blockquote>
<br>
Sounds good to me. More comments below.<br>
<br>
<blockquote type="cite"
cite="mid:CAEmnErfHB5h_i0pDGmd_OBbXXZJMg36sqzZ-tnvUTeM+Jw-o+g@mail.gmail.com">
<div dir="ltr">
<div><br>
</div>
<div>Thanks, and apologies for double-posting,</div>
<div>Aaron</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, May 3, 2023 at 1:26 PM
Aaron Gable via Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div dir="ltr">Apologies for how long this has run on, and
thank you for the great discussion as well!
<div><br>
</div>
</div>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, May 3, 2023 at
1:49 AM Dimitris Zacharopoulos (HARICA) <<a
href="mailto:dzacharo@harica.gr" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">dzacharo@harica.gr</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div><br>
I explained when the clock starts. A CA would have
evidence to show when it marked a certain certificate
as revoked, and when the CRL containing that entry was
issued.<br>
</div>
</blockquote>
<div><br>
</div>
<div>I guess this is largely a question of semantics,
then. I agree that it should generally be possible for a
CA to know when it "decided" to revoke a certificate,
when it "marked" that certificate as revoked in an
internal database, or took some similar action. But I
think there's plenty of precedent on this list and in
Bugzilla tickets that doing so does not count as
"revoking" the certificate -- that doesn't happen until
signed statements of revocation (OCSP or CRL) are widely
published.</div>
<div><br>
</div>
<div>So if we want to have a requirement like you propose,
I would ask that it use some phrasing other than .
Perhaps something like "The CA MUST update and reissue
CRLs at least 1) once every 7 days; or 2) within 24
hours after conclusively determining that a certificate
within that CRL's scope must be revoked." I don't love
that phrasing, as it introduces a new term of art
"conclusively determining" similar to the existing and
hotly-debated "becomes aware", but I like it better than
"with 24 hours after revoking".</div>
<div><br>
</div>
<div>And yes, I take issue with the way the requirement
for Subordinate CA Certificates is phrased today :) I'd
like to change both!</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
<br>
I support that approach to change both for consistency. Perhaps
something like:<br>
<br>
"The CA MUST update and reissue CRLs at least 1) once every 7 days;
or 2) within 24 hours after <strike>conclusively </strike><strike>determining</strike>
<b>recording </b>that a certificate <strike>within that CRL's
scope </strike>must be revoked."<br>
<br>
I prefer to use the word "record" which should leave a trace if
needed. I also removed "within that CRL's scope" because it seems
obvious that we are discussing about the CRL associated with a
specific CA. Other suggestions for the language are welcome :)<br>
<br>
<blockquote type="cite"
cite="mid:CAEmnErfHB5h_i0pDGmd_OBbXXZJMg36sqzZ-tnvUTeM+Jw-o+g@mail.gmail.com">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div class="gmail_quote">
<div><br>
</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div> This cannot apply in all cases described in
4.9.1.1. It would probably make sense to apply in
cases where the Subscriber requests the revocation
after proper authentication, in which case the CA
probably doesn't need to do any investigation.<br>
</div>
</blockquote>
<div><br>
</div>
<div>Heh, we're in agreement here; that's exactly what I
meant by "Paragraph 1", i.e. the enumerated point
beginning "1. The Subscriber requests in writing...". I
guess "4.9.1.1(1)" is what I should have said.</div>
<div> </div>
<div>I think that Ryan Dickson's proposed set of ballot
updates (<a
href="https://github.com/ryancdickson/staging/pull/3"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/ryancdickson/staging/pull/3</a>,
from the other thread discussing this ballot) go a long
way towards addressing concerns brought up by both of
us. I've left specific comments on that PR, as a way to
laser-focus this discussion onto specifics of phrasing.</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
<br>
I will try to review and respond to Ryan's proposed updates next
week.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:CAEmnErfHB5h_i0pDGmd_OBbXXZJMg36sqzZ-tnvUTeM+Jw-o+g@mail.gmail.com">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div class="gmail_quote">
<div><br>
</div>
<div>Aaron</div>
</div>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>