[cabfpub] Ballot 173 - Removal of requirement to cease use of private key due to incorrect certificate info

Dean Coclin Dean_Coclin at symantec.com
Sat Jul 23 00:27:36 UTC 2016


Thanks Josh. So for clarification for others voting,  the revised ballot includes the 45 day effective date. 

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Josh Aas
Sent: Friday, July 22, 2016 7:49 PM
To: CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Ballot 173 - Removal of requirement to cease use of private key due to incorrect certificate info

To clarify, my YES vote includes the 45-day waiting period before the changes take effect.

All votes from this point on should be for the ballot as originally proposed but with a 45 day waiting period before the changes take effect. Thanks.

On Fri, Jul 22, 2016 at 4:30 PM, Josh Aas <josh at letsencrypt.org> wrote:
> Let's Encrypt votes YES
>
> On Thu, Jul 14, 2016 at 9:17 AM, Josh Aas <josh at letsencrypt.org> wrote:
>> Ballot 173 - Removal of requirement to cease use of private key due 
>> to incorrect certificate info
>>
>> The following motion has been proposed by Josh Aas of ISRG / Let's 
>> Encrypt. Ben Wilson of Digicert and Chris Bailey of Entrust endorse.
>>
>> Background:
>>
>> BR Section 9.6.3 point 5 says:
>>
>> "Reporting and Revocation: An obligation and warranty to promptly 
>> cease using a Certificate and its associated Private Key, and 
>> promptly request the CA to revoke the Certificate, in the event that: 
>> (a) any information in the Certificate is, or becomes, incorrect or 
>> inaccurate, or (b) there is any actual or suspected misuse or 
>> compromise of the Subscriber’s Private Key associated with the Public 
>> Key included in the Certificate;"
>>
>> There is a problem here, which is that this requires a subscriber to 
>> stop using a private key just because information in a certificate is 
>> inaccurate or incorrect. People should stop using a cert with 
>> inaccurate or incorrect information, but they shouldn't be required 
>> to stop using a key pair unless there is known or suspected compromise.
>>
>> This is particularly problematic for HPKP.
>>
>> --Motion Begins--
>>
>> Effective upon the date of passage, the following modifications are 
>> made to the Baseline Requirements:
>>
>> Change the following text in Section 9.6.3:
>> =======================
>> Reporting and Revocation: An obligation and warranty to promptly 
>> cease using a Certificate and its associated Private Key, and 
>> promptly request the CA to revoke the Certificate, in the event that: 
>> (a) any information in the Certificate is, or becomes, incorrect or 
>> inaccurate, or (b) there is any actual or suspected misuse or 
>> compromise of the Subscriber’s Private Key associated with the Public 
>> Key included in the Certificate; =======================
>>
>> To:
>> =======================
>> Reporting and Revocation: An obligation and warranty to: (a) promptly 
>> request revocation of the Certificate, and cease using it and its 
>> associated Private Key, if there is any actual or suspected misuse or 
>> compromise of the Subscriber’s Private Key associated with the Public 
>> Key included in the Certificate; and (b) promptly request revocation 
>> of the Certificate, and cease using it, if any information in the 
>> Certificate is or becomes incorrect or inaccurate.
>> =======================
>>
>> --Motion Ends--
>>
>> The review period for this ballot shall commence at 2200 UTC on 14 
>> July 2016, and will close at 2200 UTC on 21 July 2016. Unless the 
>> motion is withdrawn during the review period, the voting period will 
>> start immediately thereafter and will close at 2200 UTC on 28 July 
>> 2016. Votes must be cast by posting an on-list reply to this thread.
>>
>> A vote in favor of the motion must indicate a clear 'yes' in the 
>> response. A vote against must indicate a clear 'no' in the response. 
>> A vote to abstain must indicate a clear 'abstain' in the response.
>> Unclear responses will not be counted. The latest vote received from 
>> any representative of a voting member before the close of the voting 
>> period will be counted. Voting members are listed here:
>> https://cabforum.org/members/
>>
>> In order for the motion to be adopted, two thirds or more of the 
>> votes cast by members in the CA category and greater than 50% of the 
>> votes cast by members in the browser category must be in favor. 
>> Quorum is currently ten (10) members– at least ten members must 
>> participate in the ballot, either by voting in favor, voting against, or abstaining.
>>
>> --
>> Josh Aas
>> Executive Director
>> Internet Security Research Group
>> Let's Encrypt: A Free, Automated, and Open CA
>
>
>
> --
> Josh Aas
> Executive Director
> Internet Security Research Group
> Let's Encrypt: A Free, Automated, and Open CA



--
Josh Aas
Executive Director
Internet Security Research Group
Let's Encrypt: A Free, Automated, and Open CA _______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5723 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160723/54bac4b7/attachment-0001.p7s>


More information about the Public mailing list