[cabfpub] Public Digest, Vol 64, Issue 88

Leo Grove leo at ssl.com
Wed Aug 30 22:45:11 UTC 2017 

SSL.com votes Yes

Leo


On 8/30/2017 4:41 PM, public-request at cabforum.org wrote:
> Send Public mailing list submissions to
> 	public at cabforum.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://cabforum.org/mailman/listinfo/public
> or, via email, send a message with subject or body 'help' to
> 	public-request at cabforum.org
>
> You can reach the person managing the list at
> 	public-owner at cabforum.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Public digest..."
>
>
> Today's Topics:
>
>     1. Re: Ballot 212: Canonicalise formal name of the Baseline
>        Requirements (Curt Spann)
>     2. Re: **Voting has started on Ballot 212: Canonicalise formal
>        name of the Baseline Requirements** (Gervase Markham)
>     3. Re: Revocation ballot v2 (Jeremy Rowley)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 30 Aug 2017 14:08:41 -0700
> From: Curt Spann <cspann at apple.com>
> To: CA/Browser Forum Public Discussion List <public at cabforum.org>
> Subject: Re: [cabfpub] Ballot 212: Canonicalise formal name of the
> 	Baseline Requirements
> Message-ID: <96703AE1-A45B-477F-9A06-615CBE4FF612 at apple.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Apple votes Yes.
>
> Curt
>
>> On Aug 18, 2017, at 8:06 AM, Gervase Markham via Public <public at cabforum.org> wrote:
>>
>> Ballot 212: Canonicalise formal name of the Baseline Requirements
>> Purpose of Ballot: to make the formal name of the Baseline Requirements document clear, as use is not currently consistent.
>> The following motion has been proposed by Gervase Markham of Mozilla and endorsed by Jeremy Rowley of DigiCert and Ryan Sleevi of Google:
>>
>> -- MOTION BEGINS --
>>
>> The official name of the Baseline Requirements document shall be 'The Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates'. Approved abbreviations for official use are "the Baseline Requirements", and "the BRs".
>>
>> Editors and maintainers of CAB Forum documents and websites are empowered to update text under their control at any time to make this so.
>> -- MOTION ENDS --
>>
>> The procedure for approval of this ballot is as follows:
>>
>>
>>
>> Start time (22:00 UTC)
>>
>> End time (22:00 UTC)
>>
>> Discussion (7 to 14 days)
>>
>> 18 Aug
>> 25 Aug
>> Vote for approval (7 days)
>>
>> 25 Aug
>> 1 Sep
>>
>>
>>
>> Votes must be cast by posting an on-list reply to this thread on the Public list. A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must       indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: https://cabforum.org/members/ <https://cabforum.org/members/>In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Quorum is shown on CA/Browser Forum wiki. Under Bylaw 2.2(g), at least the required quorum number must participate in the ballot for the ballot to be valid, either by voting in favor, voting against, or abstaining.
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://cabforum.org/pipermail/public/attachments/20170830/be92842b/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 30 Aug 2017 22:10:49 +0100
> From: Gervase Markham <gerv at mozilla.org>
> To: Kirk Hall <Kirk.Hall at entrustdatacard.com>, CA/Browser Forum Public
> 	Discussion List <public at cabforum.org>
> Subject: Re: [cabfpub] **Voting has started on Ballot 212:
> 	Canonicalise formal name of the Baseline Requirements**
> Message-ID: <8d1180a3-beaf-5982-6136-99e36468b11a at mozilla.org>
> Content-Type: text/plain; charset=utf-8
>
> On 30/08/17 15:52, Kirk Hall via Public wrote:
>> Sorry ? voting began August 25 on this ballot, and will end on *Friday,
>> Sept. 1*at 22:00 UTC.? If you intend to vote, do it now!
> Mozilla votes YES.
>
> Gerv
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 30 Aug 2017 21:41:35 +0000
> From: Jeremy Rowley <jeremy.rowley at digicert.com>
> To: Ryan Sleevi <sleevi at google.com>
> Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>
> Subject: Re: [cabfpub] Revocation ballot v2
> Message-ID: <47dace183fa443fabd19b6c28620194c at EX2.corp.digicert.com>
> Content-Type: text/plain; charset="utf-8"
>
> Yeah ? pretty much, except the part about the CAB Forum. If emailing the CAB Forum is required, I think the CA MUST provide a link to the entity submitting the Certificate Problem Report with the discussion.
>
>   
>
> Any additional comments before I finalize and ask for endoresers?
>
>   
>
>   
>
> From: Ryan Sleevi [mailto:sleevi at google.com]
> Sent: Tuesday, August 29, 2017 3:18 PM
> To: Jeremy Rowley <jeremy.rowley at digicert.com>
> Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>; Gervase Markham <gerv at mozilla.org>
> Subject: Re: [cabfpub] Revocation ballot v2
>
>   
>
> I'm not sure if you were trying to say the same thing or propose a different thing :)
>
>   
>
> That is, I was suggesting the normal flow be:
>
>   
>
> The CA MUST make a final determination and respond to a Problem Report within 24 hours, unless all of the following conditions are satisfied:
>
>    - The Report does not indicate that the private key was compromised or publicly disclosed
>
>    - The Report was not provided by the Subscriber
>
>    - The CA makes a final determination and response available within 7 days of receipt of the Problem Report
>
>    - The CA notifies the CA/Browser Forum via the questions at cabforum.org <mailto:questions at cabforum.org>  (as it's the only list that doesn't implicitly impose a membership requirement; although we can certainly explore other ways) of the Problem Report and why more than 24 hours was needed to investigate within 7 days of receipt of the Problem Report
>
>   
>
> The CA MUST revoke the certificate within 24 hours if:
>
>    - The subscriber requests ...
>
>    - The subscriber notifies ...
>
>    - The CA obtains evidence that the Private Key ...
>
>   
>
> The CA SHOULD revoke the certificate within 24 hours and MUST revoke the certificate within 7 days if:
>
>    - ...
>
>   
>
> Is that aligned with what you were saying? (I probably structured it poorly, but there's the handwavy approach)
>
>   
>
>   
>
> On Mon, Aug 28, 2017 at 3:38 PM, Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> > wrote:
>
> Not hearing from any other CAs, should we state that the CA must make an initial determination and report within 24 hours and a final report in accordance with the other timeline?
>
>   
>
> From: Ryan Sleevi [mailto:sleevi at google.com <mailto:sleevi at google.com> ]
> Sent: Thursday, August 24, 2017 9:18 AM
> To: Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> >; CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org> >
> Cc: Gervase Markham <gerv at mozilla.org <mailto:gerv at mozilla.org> >
> Subject: Re: [cabfpub] Revocation ballot v2
>
>   
>
>   
>
>   
>
> On Wed, Aug 23, 2017 at 11:32 PM, Jeremy Rowley via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:
>
> Okay - attached.
>
> a) I added the requirement to maintain an email address for addressing certificate problem reports to 4.9.3
> b) I added a 24 hour rule for when the original certificate request was not authorized.
>
>   
>
> Jeremy,
>
>   
>
> I'm wondering if you could speak more to what sort of challenges CAs face in making a determination within 24 hours, versus seven days.
>
>   
>
> For example, consider a report of a CP/CPS non-compliance - which is something entirely under the CA's control - particularly for something like a profile violation (e.g. extensions when they said they wouldn't have them, missing subject naming fields, wrong policies, etc). Why wouldn't a CA be able to make a determination about compliance within 24 hours? One downside is I could see the added time for investigation adding an incentive to delay investigating (in order to delay revocation), rather than purely granting the flexibility necessary for complex situations.
>
>   
>
> I think if you (or others) could share a bit more about the challenges of investigating reports, since I think, ideally, we'd want all reports to be taken with the same gravity and attentiveness as a potential security issue. I ask this, because I'm wondering whether it makes sense to set the standard of the _final_ report at 24 hours, but then allow CAs to take up to 7 days (except for the types of reports you noted) as an exception, and with an added requirement to disclose why they made use of the additional time.
>
>   
>
> That is, let's say someone gets report of a CP/CPS violation, and the CA determines that the current BR language is unclear, and they need additional time to consult with their auditors and/or the broader community. That seems a perfectly reasonable reason to take up to the 7 days - to make sure the violation is certain - but it also means we may not know of the potential confusion in the language, or the auditors' conclusions, as a community. If we have those types of situations disclosed (through, say, a public mail posting explaining why the >24 hour investigation took place, and what the challenges were), we can, as a community, better address those situations and work on improvements.
>
>   
>
> I'm wondering if that might address your concern about "two weeks", while also help the community better understand the challenges so we can work to improve them (in the case they're ambiguities) or collaboratively share best practices (in the case of other factors)
>
>   
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://cabforum.org/pipermail/public/attachments/20170830/98d6ba5b/attachment.html>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 4984 bytes
> Desc: not available
> URL: <http://cabforum.org/pipermail/public/attachments/20170830/98d6ba5b/attachment.p7s>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
> ------------------------------
>
> End of Public Digest, Vol 64, Issue 88
> **************************************

More information about the Public mailing list