[Servercert-wg] Ballots SC20 and SC21
Tobias S. Josefowitz
tobij at opera.com
Fri May 31 10:02:02 MST 2019
On Fri, 31 May 2019, Ryan Sleevi wrote:
> Let T=0 be the time I perform my weekly review.
> Let T=7 be the time I'm required to perform my next weekly review
> If a configuration change is made, authorized or not, at T=3, then under
> the existing 1.h, it will be detected at T=7
> Under the proposed change, it may not be detected until T=10, which is +7
> from the introduction.
Practically speaking, assuming compliance with the proposed changes,
detection at T=10 for this is only possible if the CA performed a check at
the instance right before T=3, or else an unwanted change introduced at
one instance before T=3 would not be detected within 7 days, i.e. an
instance before T=10. Whatever the implementation would be (unless maybe
in case it is designed solely to fulfil the requirements in the most and
obvious degraded ways), you would have to assume it checks configuration
necessarily in certain minimum units, so I do not see how you could be in
compliance, and detect a T=3 change at T=10 only while detecting an
instance before T=3 change an instance before T=10. Or in other words, the
"laziest" implementation would check configurations short of weekly.
Furthermore, I would argue that CAs have nothing to gain by designing a
system that is degraded and nonsensical and only detects changes in the
last possible instance, hence I really don't see why they would go through
the *effort* of doing that anyway.
Ideally, CAs would clearly monitor configurations *continuously*, but CPUs
have a frequency, and the tools that come to mind for use in an
implementation also typically operate periodically, and there has thus
been a bit of a scare in the SC about requiring "continuous", because it
is impossible to do with strict enough interpretations of what that means.
Furthermore, the intention of SC20 is for human review/implementation/...
still being a valid implementation, which is especially relevant for
transition to the new rules as well as offline systems, which is another
reason why the timeline even is set as high as seven days.
Back to the point, I still do simply not see how a CA would be in
compliance while having implemented a process/system that detects after
min=max=7d; or even how "detect within at most 7 days" can in this case be
worse than "review weekly".
More information about the Servercert-wg