[Cscwg-public] [EXTERNAL] Re: Updated CRL Revocation Date Clarification Pre-Ballot

[Bruce Morton]

FYI, I reached out to Oracle to confirm what how Java handles the invalidity date and the response is, “In Java Web Start and Plug-in, with respect to signed code, if a certificate is revoked, we will not load that code, regardless of when it was revoked. In other words, we don't look at either the revocation date or the invalidity date. We simply don't trust it if it is revoked.”

So no conflict with proposed ballot.

Bruce.

From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Dimitris Zacharopoulos (HARICA) via Cscwg-public
Sent: Monday, October 11, 2021 7:52 AM
To: cscwg-public at cabforum.org
Subject: [EXTERNAL] Re: [Cscwg-public] Updated CRL Revocation Date Clarification Pre-Ballot

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________

I'm also happy to endorse this version of the ballot.

Dimitris.
On 6/10/2021 5:53 μ.μ., Corey Bonnell via Cscwg-public wrote:
Hi Bruce,
Comments inline.

> When should we use revocationDate and revocation date OR invalidity date and invalidtyDate? I think we should make the use consistent in this section.

Thanks for pointing this out; I went back and added “field” to the locations where the text is referring to the CRL/OCSP fields and also ensured that the locations where the fields aren’t being referenced have a space between “revocation”/”invalidity” and “date”.

> Do we want a footnote or a Note similar to what is done in the SSL BRs?

It looks like the TLS BRs use both conventions; I’m partial to footnotes since footnotes don’t interrupt the “flow” of the document with explainer text, but happy to change it to a “Note” if we want to use that convention in the CSBRs.

> It would be good to clarify if the effective date applies only to future revocations or all revocations. As such, could we state that “For Code Signing Certificates revoked on or after 2022-07-01, if the CA includes the Invalidity Date CRL entry extension …”

I tweaked the wording for the new requirement to make it clear it’s applicable to CRLs published on or after 2022-07-01, so historical revocation entries may need to be modified if they don’t match the profile.

Thanks,
Corey

From: Bruce Morton <Bruce.Morton at entrust.com><mailto:Bruce.Morton at entrust.com>
Sent: Wednesday, October 6, 2021 9:57 AM
To: Corey Bonnell <Corey.Bonnell at digicert.com><mailto:Corey.Bonnell at digicert.com>; cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: RE: Updated CRL Revocation Date Clarification Pre-Ballot

Hi Corey,

Rather than marking up the document, I have a few comments:


  1.  When should we use revocationDate and revocation date OR invalidity date and invalidtyDate? I think we should make the use consistent in this section.
  2.  Do we want a footnote or a Note similar to what is done in the SSL BRs?
  3.  It would be good to clarify if the effective date applies only to future revocations or all revocations. As such, could we state that “For Code Signing Certificates revoked on or after 2022-07-01, if the CA includes the Invalidity Date CRL entry extension …”


Thanks, Bruce.

From: Cscwg-public <cscwg-public-bounces at cabforum.org<mailto:cscwg-public-bounces at cabforum.org>> On Behalf Of Corey Bonnell via Cscwg-public
Sent: Wednesday, October 6, 2021 8:23 AM
To: cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: [EXTERNAL] [Cscwg-public] Updated CRL Revocation Date Clarification Pre-Ballot

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
Hello,
Thank you to Rob, Bruce, and Dimitris for the valuable feedback on the original pre-ballot draft. I have incorporated the conclusions from our discussions on the list and the last call into the latest draft; please see the attached.

There were two changes:

  1.  There is now a footnote that better explains the rationale for using the revocationDate field to convey the “invalidity date”
  2.  The effective date for the Invalidity Date extension value change has been pushed back to July 1st, 2022.

Let me know if there are any questions or comments. Barring any further substantial changes, I think we’re ready at this point to look for two endorsers to push the ballot forward.

Thanks,
Corey

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.



_______________________________________________

Cscwg-public mailing list

Cscwg-public at cabforum.org<mailto:Cscwg-public at cabforum.org>

https://lists.cabforum.org/mailman/listinfo/cscwg-public<https://urldefense.com/v3/__https:/lists.cabforum.org/mailman/listinfo/cscwg-public__;!!FJ-Y8qCqXTj2!LXzsm8rTyF4DREXwq79ogsK7NUWLZ65mnBmOz7iuDfpXom9PNwssatpJ5IoLR20CKwM$>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20211014/ba1eda6b/attachment-0001.html>