[Servercert-wg] Ballots SC20 and SC21

Tobias S. Josefowitz tobij at opera.com
Fri May 31 10:02:02 MST 2019

On Fri, 31 May 2019, Ryan Sleevi wrote:

> Let T=0 be the time I perform my weekly review.
> Let T=7 be the time I'm required to perform my next weekly review
> If a configuration change is made, authorized or not, at T=3, then under
> the existing 1.h, it will be detected at T=7
> Under the proposed change, it may not be detected until T=10, which is +7
> from the introduction.

Practically speaking, assuming compliance with the proposed changes, 
detection at T=10 for this is only possible if the CA performed a check at 
the instance right before T=3, or else an unwanted change introduced at 
one instance before T=3 would not be detected within 7 days, i.e. an 
instance before T=10. Whatever the implementation would be (unless maybe 
in case it is designed solely to fulfil the requirements in the most and 
obvious degraded ways), you would have to assume it checks configuration 
necessarily in certain minimum units, so I do not see how you could be in 
compliance, and detect a T=3 change at T=10 only while detecting an 
instance before T=3 change an instance before T=10. Or in other words, the 
"laziest" implementation would check configurations short of weekly.

Furthermore, I would argue that CAs have nothing to gain by designing a 
system that is degraded and nonsensical and only detects changes in the 
last possible instance, hence I really don't see why they would go through 
the *effort* of doing that anyway.

Ideally, CAs would clearly monitor configurations *continuously*, but CPUs 
have a frequency, and the tools that come to mind for use in an 
implementation also typically operate periodically, and there has thus 
been a bit of a scare in the SC about requiring "continuous", because it 
is impossible to do with strict enough interpretations of what that means.

Furthermore, the intention of SC20 is for human review/implementation/... 
still being a valid implementation, which is especially relevant for 
transition to the new rules as well as offline systems, which is another 
reason why the timeline even is set as high as seven days.

Back to the point, I still do simply not see how a CA would be in 
compliance while having implemented a process/system that detects after 
min=max=7d; or even how "detect within at most 7 days" can in this case be 
worse than "review weekly".

More information about the Servercert-wg mailing list