[Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates

Wayne Thayer wthayer at mozilla.com
Tue Oct 15 14:57:15 MST 2019


On Wed, Oct 9, 2019 at 1:18 PM Ryan Sleevi via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> On Wed, Oct 9, 2019 at 4:09 PM Bruce Morton <
> Bruce.Morton at entrustdatacard.com> wrote:
>> Hi Ryan,
>> My understanding was that the ballot was being proposed as it has been
>> determined that there is a problem with how some CAs are currently status
>> is provided for precertificates. I agree that this needs to be fixed. I
>> brought up the issue as the ballot does not provide significant time for a
>> CA to fix the problem if they have the problem.
>> If this ballot was proposed similar to ballot SC21 which stated “to be
>> EFFECTIVE ninety (90) days after completion of the IPR Review Period”, then
>> there would probably have been no discussion.
> I think it's a useful question, but I don't think it's a question for the
> Forum. That's something you should raise with the Root Programs, if you're
> worried about non-compliance.
> This ballot simply makes things more permissive, in a way that is clearer
> as to the intent (discussed back when it was originally introduced), to
> provide assurance to CAs that the requirements placed on them by Root
> Programs do not conflict with their expectations. Again, there are totally
> valid ways to read the existing Root Programs as having no conflict with
> the BRs, as written today, and suggesting this Ballot is entirely
> unnecessary. However, much like Ballot 134 sought to provide assurance,
> particularly to CAs' auditors, that this was both expected and accepted,
> the proposed ballot here, SC23, provides clarity that certain things are
> permitted, and not forbidden.
I think the concern here is that some CAs have interpreted the current
section as placing no OCSP requirements on precertificates (because
they are not within the scope of the BRs because they are not
certificates). With the new language, this argument becomes mirky (because
we remove the statement that precertificates are not certificates). Hence
the assertion that this ballot does place new requirements on CAs and thus
should include a reasonable effective date. I understand that the picture
changes when we add root program requirements into the mix, but the scope
of this discussion is the BRs and CA's ability to comply with them.

Am I missing something?

- Wayne

Whether or not those permitted things are required, however, is a
> discussion for the Root Program. This Ballot doesn't make anything new
> required. That's why, from both an IP perspective and a phase in, it's no
> issue.
> The comparable ballots might be Ballot 134, which had no phase-in, or
> Ballots SC16, which had no phase-in, or Ballots SC13, SC14, SC17 and SC19 -
> none of which had phase-ins for being clearer about the things permitted.
> The comparison to Ballot SC21 is not a good comparison, because Ballot
> SC21 actually imposes new requirements, as noted within the Ballot itself.
> As I mentioned, this doesn't, and like the many clarification or
> permissiveness Ballots that Entrust has voted on in the past, it should
> seem to be of no-impact.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191015/ea82af74/attachment.html>

More information about the Servercert-wg mailing list