[Servercert-wg] Discussion Begins: Ballot SC24: Fall Cleanup
Ryan Sleevi
sleevi at google.com
Tue Oct 22 13:54:37 MST 2019
On Tue, Oct 22, 2019 at 4:27 PM Tim Hollebeek <tim.hollebeek at digicert.com>
wrote:
> The fact that existing Definitions make a mistake is not justification for
> making that mistake worse, especially not in a cleanup ballot which isn’t
> supposed to change anything at all.
>
>
>
> If Test Certificates really is Abandonware, then yes, the appropriate
> remedy is to remove the definition, not modify it.
>
Let me put forward a different:
- If Test Certificates are Abandonware, do you support adding a statement
(in a cleanup ballot) iterating that they're abandonware to avoid confusion?
Setting aside whether that statement is in the definition, or elsewhere, I
think that's the objective here. Since 3.2.2.4.9 was removed, they're
abandonware. Removing the definition makes sense, but the concern is
wanting to make sure it's clear that they are, in fact, abandonware.
> With respect to 7.1.3, this is a difficult topic, which is why I didn’t
> have language, though I’m happy to try to help craft it. The existing
> language has fairly limited (and unfortunately complicated) scope, and for
> the purposes of a cleanup ballot, I think we should keep those scope
> restrictions, even if a ballot to simplify the issue by just outright
> banning the practice might make a lot of sense.
>
>
> This is all complicated by the fact that SHA-1 certificates are fairly
> unique in the sense that “the certificate contents that were signed may not
> be the actual certificate contents that are trusted.” I probably could be
> convinced to go along with an expansion of what would normally be allowed
> in a cleanup ballot, especially if we can come up with clear, concise
> language that is easy to understand and interpret. But I think the
> existing text is overbroad.
>
I'm not fully sure I follow here. What are the scope restrictions that you
see are valid with the intersection of the existing requirements?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191022/a958e6b2/attachment.html>
More information about the Servercert-wg
mailing list