<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 13/10/2021 4:44 μ.μ., Ryan Sleevi
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CACvaWvaYpeqJPhHzaD-Bvizy=NfiGymf+Qewq5UV7YfkLwaBvA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Oct 13, 2021 at 9:36
AM Dimitris Zacharopoulos (HARICA) <<a
href="mailto:dzacharo@harica.gr" moz-do-not-send="true">dzacharo@harica.gr</a>>
wrote:</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div> I assume that the majority of Members would be in
favor of making a requirement unambiguous in the BRs that
can be measured consistently across the board.</div>
</blockquote>
<div><br>
</div>
<div>Right, I think we're in agreement here, but your
restating it makes me think you may believe we're in
disagreement?</div>
</div>
</div>
</blockquote>
<br>
I wasn't sure because in your last comment you mentioned that some
Root Programs describe requirements in months to allow more
flexibility, and I got a feeling you didn't want to see more
specificity in the BRs. It appears that you re-confirmed it, so I
got a bit more confused but hopefully things will be clearer soon :)<br>
<br>
<blockquote type="cite"
cite="mid:CACvaWvaYpeqJPhHzaD-Bvizy=NfiGymf+Qewq5UV7YfkLwaBvA@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div> I recommend we use this opportunity to fix the
existing bug in 4.9.10 and set an reasonable effective
date for CAs to update their validity period
configurations for CRLs and OCSP measured in days instead
of months. This may result in stricter requirements than
the existing Root program requirements (would that be a
first???) but this doesn't necessarily mean it is
problematic.<br>
</div>
</blockquote>
<div><br>
</div>
<div>I'm not sure I understand this point. I just tried to
explain why it'd be problematic, which is something we
discussed quite a bit several years ago, with feedback from
WebTrust in particular on this point about the misalignment
between days and calendrical events. Root programs took that
feedback into consideration, and that's why the approach I
mentioned specifically exists to reduce the risk of
compliance issues. It's unclear if you believe those
concerns to be unfounded or unnecessary, or if I just didn't
communicate this well.</div>
<div> </div>
</div>
</div>
</blockquote>
<br>
4.9.7 and 4.9.10 have a nextUpdate requirement for Root CRLs and
OCSP responses, and this is set for 12 months. Do we want the same
level of "accuracy" as the CRL/OCSP responses of Subordinate CAs? If
we do not, then we can focus on language about just the CRLs/OCSP
responses issued by "online" CAs, as Wayne has already done at the
proposed ballot and there is no need to make further changes to the
BRs. <br>
<br>
If I understand your position, you believe we should be specific (to
the second) only for specific requirements, such as those linked to
RFC 5280 (validity of a certificate, validity period of a CRL/OCSP
response) and not the other cases (related to request tokens, audit
reports, etc). Is that accurate?<br>
<br>
<br>
Dimitris.<br>
</body>
</html>