[Servercert-wg] Draft Ballot for Cleanups

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Fri Oct 18 02:30:52 MST 2019


On 18/10/2019 3:50 π.μ., Ryan Sleevi via Servercert-wg wrote:
>
>
> On Thu, Oct 17, 2019 at 8:18 PM Jacob Hoffman-Andrews via 
> Servercert-wg <servercert-wg at cabforum.org 
> <mailto:servercert-wg at cabforum.org>> wrote:
>
>     On Thu, Oct 17, 2019 at 5:14 PM Ryan Sleevi via Servercert-wg
>     <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>>
>     wrote:
>
>         On Thu, Oct 17, 2019 at 7:59 PM Jacob Hoffman-Andrews via
>         Servercert-wg <servercert-wg at cabforum.org
>         <mailto:servercert-wg at cabforum.org>> wrote:
>
>             I'm working my way through the diffs, and overall
>             this looks great. Thanks for putting it together. I do
>             notice there's one important Effective Date that's in the
>             past but you haven't removed: 1 July 2012, the overall
>             effective date of the BRs. Is there any reason not to
>             remove this one as well?
>
>
>         Nope! No strong view.
>
>
>     I'll work on a PR.
>
>
> Thanks. I went and merged 
> https://github.com/sleevi/cabforum-docs/commit/4ed95dc591a228cc5a1ec27842af1a36db77b3ed
>
> In the process, I spotted a few more areas of dates that have now 
> passed from when we started this whole process. If someone could spot 
> check https://github.com/sleevi/cabforum-docs/pull/6/files and make 
> sure the requirements have stayed the same, that would be great.
>
> Of particular interest are the changes to 4.2.1; while not consistent 
> with Ballot 197, it's possible that the provisions might be read that 
> "If the CA obtained the data prior to 1 March 2018" rather than "If 
> the issuance is prior to 1 March 2018, and the CA obtained the 
> data...". The latter interpretation is what is spelled out in 197, but 
> the former interpretation can be read with the way things are worded.
>
> If Wayne, Jacob, or someone interested in this section could give a 
> spot check (as well as the other sections that have since passed, such 
> as underscores or CP/CPS changes), that'd be great.

This is probably something minor but I think there are Subordinate CA 
Certificates that are used as Trust Anchors in various Root Programs.

I am also not sure what the goals for Test Certificates really are. Is 
the intent for Test Certificates to never (past, present and future) 
chain to a CA Certificate that can ever be used as a Trust Anchor? ANY 
Trust Anchor? Trust Anchors used for Publicly-Trusted Certificates (as 
defined in section 1.6.1)?

If the intent is to prohibit "Test Certificates" to ever be considered 
"Publicly-Trusted", then it's probably best to change:


"**Test Certificate**: A Certificate which is issued under a CA where 
there are no certificate paths/chains to a root certificate subject to 
these Requirements."

to:

"**Test Certificate**: A Certificate which is issued under a CA where 
there are no certificate paths/chains to a CA Certificate, subject to 
these Requirements. A Test Certificate must never be considered a 
Publicly-Trusted Certificate."

I also find the first paragraph of 1.1 problematic "The requirements are 
not mandatory for Certification Authorities unless and until they become 
adopted and enforced by relying-party Application Software Suppliers". I 
don't think this meets the current expectations, but that's an issue to 
discuss separately.


Dimitris.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191018/fca4dc67/attachment-0001.html>


More information about the Servercert-wg mailing list