[cabfpub] Ballot 194 – Effective Date of Ballot 193 Provisions

Ryan Sleevi sleevi at google.com
Tue Apr 4 01:26:01 UTC 2017

On Mon, Apr 3, 2017 at 9:17 PM, Chris Bailey <
Chris.Bailey at entrustdatacard.com> wrote:

> I checked with my legal team on this issue. The retroactive amendment of
> an earlier action by a later action is very common under the legal doctrine
> “nunc pro tunc” – no, I can’t speak Latin either, but it means “now for
> then”.   Retroactivity will be effective here not because of anything
> specific on retroactivity in our Bylaws, but from the fact that the second
> ballot we approve (Ballot 194) will by its terms completely override the
> conflicting parts of the earlier ballot we approved (Ballot 193) as of the
> effective date of the earlier ballot.  Because Ballot 194 says it is
> retroactive to the effective date of Ballot 193, that provision will fully
> apply once adopted by the Forum as a ballot following its Bylaws.

That's great that you checked Chris, and I don't mean to be to overly
dismissive, but that's not how the CA/Browser Forum Baseline Requirements
are written, nor how it's operated.

It's a technical specification, and one every CA is obligated to state
compliance to the latest published version (which has undergone both voting
and IP review). You will be violating your CP/CPS if you attempt this
retroactive correction, and should receive a qualified audit because of it,
independent of Ballot 194, because of this.

> The good news is, members will know whether or not Ballot 194 has passed
> before Ballot 193 becomes effective, so there will not be any gap period.

This is not true. There is still the IPR review.

>   Ballot 193 will become effective on April 22, assuming no Exclusion
> Notices are filed by then.  Ballot 194 will already have been passed by the
> members on April 16 (six days earlier), assuming it passes, so members will
> know that its retroactivity provisions were approved and will likely take
> effect as of about May 16, assuming no Exclusion Notices are filed for
> Ballot 194 during its Review Period.

This is misstating the agreed upon process for ballots. Until it's
completed the IP Review, it's not adopted.

>   Because both Ballots 193 and 194 cover the same BR section - BR 4.2.1 -
> if there are no Exclusion Notices filed for Ballot 193, there probably
> won’t be any Exclusion Notices filed for Ballot 194 either.

That's not something the Forum members can or should be stating.

> As noted before, the proposer and endorsers for Ballot 193 meant for all
> changes to be effective at the same time, March 1, 2018.  As to the reuse
> of validation data, clarifying that the effective date is March 1, 2018 and
> not April 22, 2017 makes sense for two main reasons:
> (1) CA validation systems have complex rules in their code that track the
> collection date of validation data (sometimes on a document-by-document
> basis), and the code includes internal clocks that tell the CA when a piece
> of validation data must be revalidated.  CAs will need to change that code
> so revalidation of data is required after 825 days instead of 39 months –
> this is a significant project that must be done correctly, and developers
> are already pretty busy with other major changes like CT logging for all
> certificates and CAA implementation.

This suggests that CAs are poorly designing their software and/or poorly
staffing engineering. I suspect both.

> (2) In addition, telling CA vetting teams that as of April 22 they can no
> longer use properly-collected OV and DV certificate validation data that is
> more than 825 days old (but still within the previous 39 month limit for
> reuse) will force a massive amount of data revalidation all at once –
> potentially a 50% workload increase for OV and DV certs starting all on a
> single day.  This is an undesirable outcome that was never intended by the
> ballot authors.  Instead, it’s better for both the shorter certificate
> validity period and the shorter validation data reuse period to take effect
> at the same time – March 1, 2018 – so that CAs can plan ahead.

I'm sorry, but it has yet to be demonstrated how this can be true. Nothing
requires all of this information be revalidated on a single day. On April
22, when it comes into effect, you only need to revalidate new
certificates. This is no different than if you were to acquire a new
customer on April 22. There is nothing in Ballot 193 that requires a full
re-validation as you've described.

> Ballots 193/194 represent a meaningful advance for user security by
> reducing certificate validity and data reuse periods from 39 months to 825
> days.  Let’s chalk up that “win” and move on to the other issues we’re
> discussing for further security advances.

As proposed, it's a negative for security. Let's focus on making real
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170403/90c133ac/attachment-0003.html>

More information about the Public mailing list