[Servercert-wg] [EXTERNAL] Ballot SC6 v2 - Revocation Timeline Extension
Ryan Sleevi
sleevi at google.com
Thu Aug 30 18:23:48 MST 2018
On Thu, Aug 30, 2018 at 6:41 PM Wayne Thayer via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> On Thu, Aug 30, 2018 at 10:42 AM Ryan Sleevi <sleevi at google.com> wrote:
>
>> Thanks Wayne.
>>
>> I know you're intentionally avoiding the controversial cleanups with this
>> specific Ballot, so it will be good to have a follow-on discussion for
>> those matters, as CAs will no doubt having to make only one update to their
>> CP/CPS versus two. Or, differently stated, I'd hope that the argument for
>> making two updates doesn't preclude discussion of those additional cleanups
>> and ambiguities.
>>
>> In reviewing this language in full, a much needed cleanup, one area that
>> stuck out to me, and which may not need to be resolved, but worth
>> considering, are the requirements for revocation if the CA is "made aware
>> of a material change in the information contained in the certificate" (#6
>> in the 5 day range) and if the CA "determines that any of the information
>> appearing in the Certificate is inaccurate"
>>
>> One thing that stuck out was "made aware" versus "determines" - and
>> whether that distinction is significant (all of the other relevant language
>> in this section uses "made aware"). This is, admittedly, a carry over, but
>> I'm curious if there is any significance/impact to changing this to "made
>> aware"
>>
>> The next thing that stuck out is determining whether "material change in
>> the information" and "is inaccurate" are, in fact, different. Are there
>> cases where the information is inaccurate due to an (immaterial) change?
>> Are there material changes that don't result in inaccuracy? This couples
>> with the above to leave it a bit messy and gray as to how the CA may
>> classify things.
>>
>> In looking at Section 9.6.1, regarding the CA's warranties, it seems our
>> goal is to provide relying parties both assertions on the correctness of
>> the information at the time it was issued, as well as that the information
>> is correct on an ongoing basis (c.f. 9.6.1 (8)). In terms of predictability
>> and clear expectations for CAs, the determination of material/immaterial,
>> and the flexibility for determination in general, seems to set up potential
>> conflict with the needs of Relying Parties and Subscribers, and leave CAs
>> in a bit of the messy place that some of this ballot tries to get them
>> sorted out from.
>>
>>
>> I hope this will prove to be uncontroversial, but the concrete
>> suggestions I would have are:
>> 1) Strike "material" from 4.9.1.1, p2, Item 6, to read "The CA is made
>> aware of a change in the information contained in the certificate"
>>
> >
> I suspect that this is controversial and am not sure that I agree with the
> proposed change. For example, when GoDaddy removed the space from their
> former name "Go Daddy", that would, in my opinion, have been an immaterial
> change to the content of any certificate containing "Go Daddy" in the O
> field. Other examples might include capitalization and punctuation. While I
> dislike ambiguities and the abuse they invite, this is a case where I think
> it is acceptable, if not necessary.
>
But aren't these distinct organizations? If I were to look up, say, in a
business registry, I wouldn't find both entries as current, would I? One
might be a tradename, or a historic note, but there could be an entity "Go
Daddy" and an entity "GoDaddy" once the organization itself renamed itself,
if I'm not mistaken.
> >
>
>> 2) Change "determines" to "is made aware" in 4.9.1.1, p2, Item 8, to read
>> "The CA is made aware that any of the information appearing in the
>> Certificate is inaccurate."
>>
> >
> I don't have strong feelings about this, but I do make some distinction
> between "determining" (on its own) and "being made aware of" (by someone
> else). I prefer the current language because it makes some admittedly minor
> distinction between these two reasons.
>
Although there's currently no trigger for the duration between the CA being
made aware of such information and making a determination. For example, if
a problem report arrives with inaccurate information, the CA may take two
weeks to make such a determination, and upon making a determination, decide
to revoke. They might, as part of both their preliminary and final report,
note that they have not yet determined that the information is inaccurate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20180830/bc1e6500/attachment-0001.html>
More information about the Servercert-wg
mailing list