[cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016
Kirk.Hall at entrustdatacard.com
Wed Oct 26 11:45:23 MST 2016
I think we may be making too much of all this. If we have both an old style ballot to make the change now following the procedures in our Bylaws and our past practices, at the very least we will have added the change to our Draft Guidelines with everything else.
If we simultaneously add the change to Ballot 180, we will also be following the procedures in our IPR Policy and our new practices, and Ballot 180, once adopted on Jan. 7 will effectively override the previous old style ballot. We would move faster if we could on Ballot 180 to avoid having to follow this process, but it’s not possible.
So it’s win-win, and I see no harm from following a dual track for this single time-sensitive issue. Remember also that the purpose of our IPR Policy is to detect whether or not there are potential IP claims relating to a draft guideline – in this case, I don’t see how Wayne’s proposed amendment could possibly impact anyone’s claimed IP.
From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
Sent: Wednesday, October 26, 2016 11:39 AM
To: Ryan Sleevi <sleevi at google.com>
Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CABFPub <public at cabforum.org>
Subject: RE: [cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016
“ - If we say "No, not until it's been affirmed by a Ballot", but do not wait until the completion of the Review Period, then its possible that auditors will incorporate IP-encumbered requirements within their audit criteria, and any CA that fails to license such technology may be at risk of receiving a qualified audit.“
This is already true. Right now, under Virginia’s interpretation, absolutely nothing in the BRs/EV guidelines is final since adoption of the IPR because we have never had a PAG meet despite receiving exclusion notices. We’re already in the weird limbo state with respect to everything. We have no idea whether material covered by IP has been introduced into the guidelines because the IPR didn’t require that the IP holder identify which section was affected. We did during the last ballot, but this was limited in scope to the methods proposed in 169.
From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Wednesday, October 26, 2016 12:21 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>>
Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>>; CABFPub <public at cabforum.org<mailto:public at cabforum.org>>
Subject: Re: [cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016
On Wed, Oct 26, 2016 at 11:00 AM, Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>> wrote:
I’m not sure if there is consensus on Virigina’s interpretation. We haven’t even had a straw poll to agree/disagree on the issue.
That’s my interpretation more or less with one point. I don’t see a draft guideline that hasn’t completed the IPR as non-binding. The difference between a “draft guideline” and “final guideline” is purely an IPR semantic where a draft simply hasn’t undergone the exclusion notice period. This does nothing to affect the legitimacy of the ballot passed using the process described in the bylaws. The definition of a draft ballot is only that the IP status is unknown.
The consequence of this interpretation is whether you expect auditors to have their criteria reflect DGs or FGs.
If OCSP Ballot 184 produces another DG, then I don't believe it's something we'd want to suggest auditors incorporate into their criteria, or use that to influence their opinions of finding, because effectively any member can produce a DG at any time. What's meaningful and matters is whether it's formally approved as an FG/FMG - which, in both interpretations, and as stated in the IPR policy, can only happen after the review period.
I think using terms like 'binding' and 'legitimacy' are perhaps going to distract from the issue - since binding is a property of root programs' expectations (and the associated audit criteria), and 'legitimacy' is a matter of following the Bylaws and IPR Policy.
As a concrete example of potential problems with this interpretation:
If a member produces a DG that says "Do whatever you want", should auditors incorporate that into their audit criteria?
- If we say "yes", well, we're doomed
- If we say "No, not until it's been affirmed by a Ballot", but do not wait until the completion of the Review Period, then its possible that auditors will incorporate IP-encumbered requirements within their audit criteria, and any CA that fails to license such technology may be at risk of receiving a qualified audit.
That's why I think, independent of Ballot -> Review or Review -> Ballot, the ability to incorporate into auditable criteria and guidance can only be done after the completion of both. If we're in agreement there, then we're back to the question of whether or not the combination can complete in sufficient time.
The only way to reduce the Review Period is to take a view that an OCSP Ballot 184 is an FMG, meaning 30 day review, since if it's a DG/FG, the review period is 60 days.
So in order to meet Wayne's need, without setting a dangerous precedent as explained with the example above, we'd have to interpret it as an FMG, but I believe the discussion to date does not support that interpretation, because there's no clear FG to be used as the input to OCSP Ballot 184.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public