[cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016
sleevi at google.com
Wed Oct 26 10:38:12 MST 2016
On Wed, Oct 26, 2016 at 10:02 AM, Jeremy Rowley <jeremy.rowley at digicert.com>
> It’s important because a draft guideline isn’t non-binding on the CAB
> Forum membership. The bylaws clearly spell out how a ballot takes place:
> (c) A representative of any Member can call for a proposed ballot to be
> published for review and comment by the membership. Any proposed ballot
> needs two endorsements by other Members in order to proceed. The review
> period then shall take place for at least seven calendar-days before votes
> are cast.
> (d) The CA/Browser Forum shall provide seven calendar-days for voting,
> with the deadline clearly communicated via the members’ electronic mailing
> list. All voting will take place online via the members’ electronic mailing
> (g) A ballot result will be considered valid only when more than half of
> the number of currently active members has participated. The number of
> currently active members is the average number of member organizations that
> have participated in the previous three meetings (both teleconferences and
> face-to-face meetings).
> This tells me the ballot is effective when passed. The IPR spells out how
> to handle IP claims, not when a ballot becomes effective. After the ballot
> passes, we have a 60 day window to review and submit disclosure statements,
> which is handling the IP issues, not the effectiveness of the previous
> ballot. This is the issue I was trying to point out in the face to face.
> Ballot 169 passed and is required by the membership under the bylaws but
> has not finished the IP review. Although it’s still technically a “draft
> guideline” until the IPR finishes, there’s nothing in the bylaws or IPR
> (that I’m aware of) that says a draft ballot isn’t a binding requirement on
> the membership if that draft has been voted on using the process set up in
> the bylaws.
This seems to be a substantially different interpretation of the workflow
than previously (or currently) being advanced with respect to Ballot
180/181/182. While it may not be wrong, I think it's worth highlighting
this element of disagreement, especially with the workmode that has been
described within our IPR policy.
In it, you're advocating Ballot, then Review, then adoption. However,
Virginia has, on several calls now, put forward an interpretation that
suggests Review, then Ballot - under the view that members can't vote to
adopt what they don't know is encumbered.
For what it's worth, I'm exceptionally sympathetic to your view, as I think
it engages a more productive work model - the Forum, through the
Contributions of it members, produces a Ballot that amends an existing
(Draft, Final) Guideline. Should the Ballot pass, it becomes an
(unapproved) Final or Final Maintenance Guideline, triggering the IPR
review period (of 30 to 60 days). If that review period completes, without
issue, it is approved as a Final/FMG. If there is an issue, a PAG is
convened. This interpretation is supported by 7.1's PAG formation
describing working on a "Final Guideline" or "Final Maintenance Guideline"
- which is only possible if a ballot has succeeded, but the FG/FMG is
unapproved (due to the IPR issue).
However, the counter-view that's been expressed is that the interpretation
of the IPR policy's clause, in 4.1, of "Prior to the approval of",
indicates that the Review Notice period happens before the Ballot. This is
what has been discussed several times, and the discussions related to Straw
Polls in order to reduce the need for legal engagement with counsel for
ballots that will not be adopted by the Forum. In this interpretation,
because the PAG may require modification to the documents in order to
address concerns - up to and including removing the Essential Claim from
the FG/FMG - then it's natural to state that the documents cannot be
balloted until after the PAG has formed.
I highlight this distinction because I think it's key to understanding what
we view the input documents to such a ballot as, which directly affects the
Review Notice period.
The current suggestion, as I understand it, is to treat the ballots prior
to 180 as, effectively, Draft Guidelines (due to the inconsistencies in the
IPR policy), re-adopt this as Final Guidelines with a 60 day review, and
then Ballots 181 and 182 represent Final Maintenance Guidelines, using the
latter interpretation (IPR Review -> Ballot).
As such, it creates a conflict for what an OCSP Ballot 184 would be on - if
we accept the current documents are Draft Guidelines, as 180 suggests, then
1) We don't necessarily need ballots for Draft Guidelines. That's not to
say we can't, but simply the DG is a "non-binding" document, because it
hasn't undergone the IPR review that would allow for its approval as a
Final Guideline. I use quotes here, because we know root stores view the
situation as binding (from the POV of root programs), but it's not an
Officially Approved CABForum work product - much like the code signing docs.
2) If we accept the goal is to ensure it becomes an FG, then we need a 60
day IPR review policy to transition from DG to FG, and that doesn't address
the timing concern.
Again, I'm not trying to suggest that a Ballot to formally judge members'
reactions to such a change is, but I don't think the output of such a
ballot will be an FG/FMG, which I believe is the interpretation Kirk was
implying in his suggestion of doing it in the "old" fashion. Instead, it
would be another DG.
If we accept the output is a DG, then either we're producing two DGs (the
input to Ballot 180, and the output of Ballot 184 OCSP), or we're ignoring
the results of Ballot 184 and simply assuming they'll pass - as I believe
Kirks' suggestion to modify the input of Ballot 180 represents.
That's why I was trying to offer a more concrete, unambiguous path:
- Strawpoll to modify the DG that is input to Ballot 180 to accomodate
- If we conduct the Strawpoll using the same voting period as an actual
Ballot (7 day review, 7 day vote), then it means withdrawing and
resubmitting Ballot 180, since it would already be after the voting period
- Otherwise, we conduct a compressed strawpoll (and you've already heard
explicit and implicit support from at least 3 vendors, so it doesn't seem
this would be a bad thing)
- Integrating that result into Ballot 180
- Voting on Ballot 180 to transition from a DG to an FG with full IPR review
Have I misunderstood both the justification of Ballot 180 and the differing
views expressed so far about the IPR policy and workmode? It may be an
oversimplified summary of the different interpretations, but I believed at
this point, consensus (explicit and implicit) had settled on the latter
workmode of "Review -> Ballot", as advanced by Virginia.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public