[Servercert-wg] [EXTERNAL] Ballot SC6 v2 - Revocation Timeline Extension

Wayne Thayer wthayer at mozilla.com
Fri Aug 31 09:10:02 MST 2018


On Thu, Aug 30, 2018 at 6:24 PM Ryan Sleevi <sleevi at google.com> wrote:

>
>
> On Thu, Aug 30, 2018 at 6:41 PM Wayne Thayer via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
>> On Thu, Aug 30, 2018 at 10:42 AM Ryan Sleevi <sleevi at google.com> wrote:
>>
>>> Thanks Wayne.
>>>
>>> I know you're intentionally avoiding the controversial cleanups with
>>> this specific Ballot, so it will be good to have a follow-on discussion for
>>> those matters, as CAs will no doubt having to make only one update to their
>>> CP/CPS versus two. Or, differently stated, I'd hope that the argument for
>>> making two updates doesn't preclude discussion of those additional cleanups
>>> and ambiguities.
>>>
>>> In reviewing this language in full, a much needed cleanup, one area that
>>> stuck out to me, and which may not need to be resolved, but worth
>>> considering, are the requirements for revocation if the CA is "made aware
>>> of a material change in the information contained in the certificate" (#6
>>> in the 5 day range) and if the CA "determines that any of the information
>>> appearing in the Certificate is inaccurate"
>>>
>>> One thing that stuck out was "made aware" versus "determines" - and
>>> whether that distinction is significant (all of the other relevant language
>>> in this section uses "made aware"). This is, admittedly, a carry over, but
>>> I'm curious if there is any significance/impact to changing this to "made
>>> aware"
>>>
>>> The next thing that stuck out is determining whether "material change in
>>> the information" and "is inaccurate" are, in fact, different. Are there
>>> cases where the information is inaccurate due to an (immaterial) change?
>>> Are there material changes that don't result in inaccuracy? This couples
>>> with the above to leave it a bit messy and gray as to how the CA may
>>> classify things.
>>>
>>> In looking at Section 9.6.1, regarding the CA's warranties, it seems our
>>> goal is to provide relying parties both assertions on the correctness of
>>> the information at the time it was issued, as well as that the information
>>> is correct on an ongoing basis (c.f. 9.6.1 (8)). In terms of predictability
>>> and clear expectations for CAs, the determination of material/immaterial,
>>> and the flexibility for determination in general, seems to set up potential
>>> conflict with the needs of Relying Parties and Subscribers, and leave CAs
>>> in a bit of the messy place that some of this ballot tries to get them
>>> sorted out from.
>>>
>>>
>>> I hope this will prove to be uncontroversial, but the concrete
>>> suggestions I would have are:
>>> 1) Strike "material" from 4.9.1.1, p2, Item 6, to read "The CA is made
>>> aware of a change in the information contained in the certificate"
>>>
>> >
>> I suspect that this is controversial and am not sure that I agree with
>> the proposed change. For example, when GoDaddy removed the space from their
>> former name "Go Daddy", that would, in my opinion, have been an immaterial
>> change to the content of any certificate containing "Go Daddy" in the O
>> field. Other examples might include capitalization and punctuation. While I
>> dislike ambiguities and the abuse they invite, this is a case where I think
>> it is acceptable, if not necessary.
>>
>
> But aren't these distinct organizations?
>
>
In what sense? Certainly in the physical world they are the same.
>

> If I were to look up, say, in a business registry, I wouldn't find both
> entries as current, would I? One might be a tradename, or a historic note,
> but there could be an entity "Go Daddy" and an entity "GoDaddy" once the
> organization itself renamed itself, if I'm not mistaken.
>
>
This is perhaps not a good example given the complex corporate structure,
and I don't know the full history, but I think it makes my point which is
that this is a controversial change.
>

>
>
>> >
>>
>>> 2) Change "determines" to "is made aware" in 4.9.1.1, p2, Item 8, to
>>> read "The CA is made aware that any of the information appearing in the
>>> Certificate is inaccurate."
>>>
>> >
>> I don't have strong feelings about this, but I do make some distinction
>> between "determining" (on its own) and "being made aware of" (by someone
>> else). I prefer the current language because it makes some admittedly minor
>> distinction between these two reasons.
>>
>
> Although there's currently no trigger for the duration between the CA
> being made aware of such information and making a determination. For
> example, if a problem report arrives with inaccurate information, the CA
> may take two weeks to make such a determination, and upon making a
> determination, decide to revoke. They might, as part of both their
> preliminary and final report, note that they have not yet determined that
> the information is inaccurate.
>
>
I see your point, but it assumes that a CA can 'be made aware that any of
the information appearing in the Certificate is inaccurate' without
triggering reason #6 ('made aware of a material change in the information
contained in the Certificate'), which seems unlikely. My concern with your
proposal is that a CA could interpret "is made aware of" as only applying
when a 3rd party reports a problem. Would a change to 'determines or is
made aware of' resolve both concerns?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20180831/9b4b8422/attachment.html>


More information about the Servercert-wg mailing list