[cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016

Kirk Hall Kirk.Hall at entrustdatacard.com
Wed Oct 26 15:16:15 MST 2016


Thanks Geoff.   To clarify, the request for the change is not being made by my company, Entrust.  I am processing this request from GoDaddy in my role as Chair.

-----Original Message-----
From: geoffk at apple.com [mailto:geoffk at apple.com] 
Sent: Wednesday, October 26, 2016 12:15 PM
To: Ryan Sleevi <sleevi at google.com>
Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016

I don’t see the urgency here.  If we follow regular process (that is, allow ballot 180 to complete, and then propose ballot 184 in mid-January), it can be complete by end February.  This means you can’t issue new OCSP signing certificates for a 2-month period, but considering that Entrust’s OCSP certificates appear to be valid for 3 years, it doesn’t seem like a huge imposition to ask you to check for any that expire in, say, the first half of 2017 and if so generate a new one before the end of the year.

> On 26 Oct. 2016, at 11:49 am, Ryan Sleevi via Public <public at cabforum.org> wrote:
> 
> 
> 
> On Wed, Oct 26, 2016 at 11:45 AM, Kirk Hall <Kirk.Hall at entrustdatacard.com> wrote:
> I think we may be making too much of all this.  If we have both an old style ballot to make the change now following the procedures in our Bylaws and our past practices, at the very least we will have added the change to our Draft Guidelines with everything else. 
> 
>  
> 
> If we simultaneously add the change to Ballot 180, we will also be following the procedures in our IPR Policy and our new practices, and Ballot 180, once adopted on Jan. 7 will effectively override the previous old style ballot.  We would move faster if we could on Ballot 180 to avoid having to follow this process, but it’s not possible.
> 
> 
> Can you explain what you mean by "simultaneously"? I tried to highlight the issue with your proposal before, but perhaps it would be better if you restate.
> 
> We can do several things, but as I see it, your suggestion of "simultaneous" is to vote on 184 while also modifying 180. This implies that the results of 184 are irrelevant for the modification of 180, which seems a dangerous precedent to set, and otherwise pointless to vote on 184.
> 
> If you mean that 180 follows the completion of 184, then it means withdrawing 180, as I explained previously. That's fine, it just means delaying it. 
>  
> So it’s  win-win, and I see no harm from following a dual track for this single time-sensitive issue.  Remember also that the purpose of our IPR Policy is to detect whether or not there are potential IP claims relating to a draft guideline – in this case, I don’t see how Wayne’s proposed amendment could possibly impact anyone’s claimed IP.
> 
> 
> I appreciate your perspective, but I don't believe your perspective provides the legal assurances that members want, and for which our IPR policy is designed to assure. That's the point - we shouldn't be speculating about IP impact, we should follow a consistent process.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public



More information about the Public mailing list