[cabfpub] Ballot 193: Problem 2

Ryan Sleevi sleevi at google.com
Thu Mar 2 02:38:22 UTC 2017


On Wed, Mar 1, 2017 at 4:50 PM, Ryan Sleevi <sleevi at google.com> wrote:

> It's unclear whether you disagree with the substance of my analysis, and
> are thus stating it was intentional to weaken the Baseline Requirements, or
> if you're simply providing clarification for the intent, for which the
> weakening of the Baseline Requirements was unintentional?
>
> If this was unintentional, we can work to resolve this in a way that
> achieves the intended resolve. However, if this was intentional, we will
> continue to disagree, and thus will find it necessary to vote against this
> ballot. I can only hope that, like Ballot 188, this was merely an
> unintentional side-effect, and hopefully one we can resolve through
> collaboration.
>

It was pointed out that my description of the issues may not have been
clear for some members, so I'll try to restate the various ways in which
this proposal, whether intentional or not, weakens the current security
guarantees provided by the Baseline Requirements.

In the effort of providing greater clarity, I have created several new
threads to help inform this discussion.


Proposed for Section 4.2.1
"A CA may rely on a previously verified certificate request to issue a
replacement certificate, so long as the certificate being referenced was
not revoked due to fraud or other illegal conduct, if:
(1) The expiration date of the replacement certificate is the same as the
expiration date of the Certificate that is being replaced, and
(2) The Subject Information of the Certificate is the same as the Subject
in the Certificate that is being replaced."

Problem Summary: This introduces an additional implied requirement for
revocation not present within the Baseline Requirements, and for which
several Browser members have highlighted clear disagreement with CAs.

Explanation: The problem introduced here is with respect to "was not
revoked due to fraud or other illegal content". The introduction of "Fraud"
creates an ambiguity regarding what is required in the Baseline
Requirements. The extent of obligations imposed by Section 4.9.1.1 does not
include fraud as a general category, but instead limits it to a
"fraudulently misleading subordinate Fully-Qualified Domain Name" in Item
7. Similarly, "illegal conduct" creates an ambiguity as to what is
required, pursuant to Item 6, which through illustrative example makes a
distinction between "illegal conduct" and "no longer legally permitted".

Conclusion: This represents an agenda item for which CAs and several
browsers have long disagreed. As a consequence, this detracts from the
substantive, though incomplete, improvements being proposed regarding
certificate lifetime.

Suggestion: Remove "due to fraud or other illegal conduct"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170301/f8c8c635/attachment-0002.html>


More information about the Public mailing list