[Servercert-wg] Discussion Begins: Ballot SC24: Fall Cleanup

Wayne Thayer wthayer at mozilla.com
Tue Oct 22 15:46:46 MST 2019 

On Tue, Oct 22, 2019 at 1:55 PM Ryan Sleevi via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> On Tue, Oct 22, 2019 at 4:27 PM Tim Hollebeek <tim.hollebeek at digicert.com>
> wrote:
>
>> The fact that existing Definitions make a mistake is not justification
>> for making that mistake worse, especially not in a cleanup ballot which
>> isn’t supposed to change anything at all.
>>
>>
>>
>> If Test Certificates really is Abandonware, then yes, the appropriate
>> remedy is to remove the definition, not modify it.
>>
>
> Let me put forward a different:
> - If Test Certificates are Abandonware, do you support adding a statement
> (in a cleanup ballot) iterating that they're abandonware to avoid confusion?
>
> Setting aside whether that statement is in the definition, or elsewhere, I
> think that's the objective here. Since 3.2.2.4.9 was removed, they're
> abandonware. Removing the definition makes sense, but the concern is
> wanting to make sure it's clear that they are, in fact, abandonware.
>
>

The current definition of Test Certificate contains part (i) and part (ii).
This ballot removes part (i), which is the part directly related to section
3.2.2.9, while leaving part (ii), which is a generic definition, in place
with the exact same language. This is consistent with the scope of a
cleanup ballot.

With respect to 7.1.3, this is a difficult topic, which is why I didn’t
>> have language, though I’m happy to try to help craft it.  The existing
>> language has fairly limited (and unfortunately complicated) scope, and for
>> the purposes of a cleanup ballot, I think we should keep those scope
>> restrictions, even if a ballot to simplify the issue by just outright
>> banning the practice might make a lot of sense.
>>
>
>>
>> This is all complicated by the fact that SHA-1 certificates are fairly
>> unique in the sense that “the certificate contents that were signed may not
>> be the actual certificate contents that are trusted.”  I probably could be
>> convinced to go along with an expansion of what would normally be allowed
>> in a cleanup ballot, especially if we can come up with clear, concise
>> language that is easy to understand and interpret.  But I think the
>> existing text is overbroad.
>>
>
> I'm not fully sure I follow here. What are the scope restrictions that you
> see are valid with the intersection of the existing requirements?
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191022/2bf795c5/attachment.html>

More information about the Servercert-wg mailing list