[Cscwg-public] Subscriber Private Key Protection Deadline Update

Martijn Katerbarg martijn.katerbarg at sectigo.com
Wed Sep 7 20:19:52 UTC 2022 

Ian,

 

Thank you for the explanation regarding a new target date. 

 

It does seems we’re already on a tight schedule to propose and get through the approval process of a potential ballot. Lets not forget that until we get this through a vote (if brought to a ballot), CAs and Subscribers will still be working on trying to make the existing deadline.

 

I would like to suggest we also update the language in such a way that any CA wanting to keep going on their current schedule, should be able to. We could possibly do this by changing the current SHALLs to MAYs, adding a SHOULD for possibly June, and a SHALL for October. (I’m generalizing here, obviously we need to be clear in the actual language)

 

Regarding the SHALL, I can’t help but wonder if we should use the word RECOMMENDED instead. While it has the same meaning according to RFC2119, I can’t help but believe recommended puts a stronger point to it. I’ll gladly help out on a proposed textual change to bring this forward if need be. 

 

Thanks, 

 

Martijn

 

From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Ian McMillan via Cscwg-public
Sent: Wednesday, 7 September 2022 18:04
To: Tim Hollebeek <tim.hollebeek at digicert.com>; cscwg-public at cabforum.org
Subject: Re: [Cscwg-public] Subscriber Private Key Protection Deadline Update

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

Thanks Tim! In general, I agree with your perspective on the “SHOULD”, and I am trying to find something that would help alleviate the last-minute rush to meet the deadline. 

 

On the October date reasoning, I look at the typical release timelines for new tooling (e.g. SDKs) and significant platform updates coming in the fall season, so I’d like to try and align closely with when releases are coming out that are precluded by many folks making changes to address new tools or features coming in those releases cycles. October is also a time focused on getting right before the deployment/change freezes for services and pipelines that are commonly seen in the November and December time periods. This was the similar reasoning we had for the November date when we initially started discussing the changes for subscriber private key protections, but with the landing of v2.8 later than initially expected and the feedback, October 2023 seems like the best time to help alleviate the stress for those that run up to the deadline.

 

Thanks,

Ian   

 

From: Tim Hollebeek <tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com> > 
Sent: Wednesday, September 7, 2022 11:05 AM
To: Ian McMillan <ianmcm at microsoft.com <mailto:ianmcm at microsoft.com> >; cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org> 
Subject: [EXTERNAL] RE: Subscriber Private Key Protection Deadline Update

 

I’m normally very supportive of SHOULD requirements, but for a deadline like this, I can unfortunately guarantee that including a June SHOULD date will have absolutely no practical effect.  Instead, I would support any and all proposals people can think of for disincentivizing people from waiting until the last minute.  It’s an important problem and one I wish we had better ways of dealing with.

 

-Tim

 

From: Cscwg-public <cscwg-public-bounces at cabforum.org <mailto:cscwg-public-bounces at cabforum.org> > On Behalf Of Ian McMillan via Cscwg-public
Sent: Wednesday, September 7, 2022 10:57 AM
To: cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org> 
Subject: [Cscwg-public] Subscriber Private Key Protection Deadline Update

 

Hi Folks,

 

Since the announcement of the new subscriber private key protection requirements in CSBR v2.8 (Ballot CSC-13), I’ve fielded a number of questions and feedback on the November 15, 2022 deadline. I feel it is in the best interest of subscribers and CAs to delay this deadline to be October 1, 2023 for a number of reasons.

 

1.	Subscriber & CA readiness time window from v2.8 to the November 15, 2022 deadline is too tight.
2.	The November 15, 2022 deadline lands too close to typical end of calendar year deployment or change “freeze” periods.
3.	The current global economic state makes investments a challenge and added operational budget pressure for all parties (subscribers, CAs, certificate consumers).
4.	Supply chain challenges make obtaining the proper key protection solution by November 15, 2022 increasingly difficult.

 

The accumulation of challenges for both subscribers and CAs, I feel we need to delay the deadline to be delayed. That said, I’d like to propose we have a “SHOULD” date of June 1, 2023, and a “MUST” date of October 1, 2023. I believe this will allow CAs and subscribers to begin adoption of the new private key protection requirements ahead of the enforcement deadline of October 1, 2023. 

 

I’d like to discuss this as an immediate ballot in the next WG meeting scheduled for September 8, 2022. 

 

Cheers,

Ian McMillan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220907/385d1407/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6827 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220907/385d1407/attachment-0001.p7s>

More information about the Cscwg-public mailing list