[cabfpub] Concerns regarding Mozilla Root Program/Baseline Requirements

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Thu Aug 8 14:48:16 UTC 2013

Gerv, I'm trying to understand your points.  

The only certs in discussion are pre-BR certs (which by definition are not covered by the BRs).  They are expiring by their terms (validity period) every day, and no one has proposed extending their validity period.  Can you provide an example of "an extension of my argument," some action by a CA that is rekeying an existing BR, that could lead to serious problems?  What kind of pre-BR cert, if rekeyed (reissued) by the CA for the same expiration date, will cause some new problem?  I can't think of any.

So far as I know, the only "issue" in rekeying a pre-BR cert is whether or not the subscriber should be revetted - isn't the correct?  (For example, if the pre-BR cert is a 10 year cert issued several years ago.)  Is anyone else arguing that some other part of the BRs is so important it must be applied to any reissued / rekeyed pre-BR cert?  What?

It seems we are wasting a lot of time and cycles on this, when the problem/situation is going away on its own.

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Thursday, August 08, 2013 1:55 AM
To: Kirk Hall (RD-US)
Cc: Ryan Sleevi; public at cabforum.org >> public at cabforum.org
Subject: Re: [cabfpub] Concerns regarding Mozilla Root Program/Baseline Requirements

On 08/08/13 03:05, kirk_hall at trendmicro.com wrote:
> Ryan, I think you are putting up a straw man argument when you imply 
> that CAs could cheat on all the BR rules by pretending they are simply 
> reissuing a pre-BR cert, so they don’t have to comply with anything.  
> To my knowledge, no one has done that or proposed that.

Indeed not. But Ryan's point is that the arguments being deployed here could be used to support such action for exactly the same reasons. If the BRs don't apply to reissues, as some are arguing, then they don't apply full stop. And if someone comes along later and wants to make them not apply to some other aspect of a reissue, one can hardly object.

> I believe that many CAs have always allowed a free reissue of an 
> outstanding cert in their subscriber agreements (for the remaining 
> certificate validity period only – not for any extended period) if 
> necessary due to a technical problem such as loss of private key.  So 
> the reissued (re-keyed) cert for the remaining validity period 
> presents no greater danger to the internet community than the 
> previously issued, pre-BR 10 year cert.  Does it?

The question of whether there is a risk for this particular change is a separate question to whether the BRs are intended to apply to reissues or not.

One possible outcome is that we clarify that the BRs apply to reissues entirely, but that we carve out an exception for certificate duration (or some other aspect) because we think that the risk of varying that particular aspect of certificates is not great.

> I can’t fully understand why some are acting as if there is a grave 
> danger from reissue/rekeying for the remaining validity period

I think that people are less concerned about that, and more concerned about the grave danger if your line of argument is accepted - because it proves too much.


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

More information about the Public mailing list