[Servercert-wg] Discussion Begins: Ballot SC24: Fall Cleanup

Wayne Thayer wthayer at mozilla.com
Thu Oct 24 12:36:24 MST 2019

On Thu, Oct 24, 2019 at 12:12 PM Ryan Sleevi <sleevi at google.com> wrote:

> In writing this up, I realized the potential confusion that can result
> from Tim's wording here. I attempted a slight adjustment in
> https://github.com/sleevi/cabforum-docs/compare/2019-07-Cleanups...sleevi:2019-07-TimsConcerns -
> again, not happy with it, but trying to make progress and appease the
> concerns. If that looks right to folks, I'll merge it.
I'm not sure I understand the loophole, but this looks good to me except
that the last sentence drops "SHA-2...". Was that intentional? If not, I'd
revert it.

Here's the "unreasonable" loophole that I think fits within the scope of a
> cleanup ballot, which the above tries to close, and I hope to all that is
> holy no CA would try to argue is a normative change:
> - A CA may read this as "IF I have a Cross Certificate issued, THEN I MAY
> issue SHA-1 Subscriber certificates".
> The 'intent', however unfortunate, of the existing 7.1.3 was that the
> "This section" means that Root CAs may issue Subordinate CA Certificates
> that are Cross Certificates using SHA-1. That is "This prohibition on
> issuing Subordinate CA Certificates does not apply if the Subordinate CA
> Certificate is a Cross Certificate". That's what the above language is
> trying to preserve, while avoiding ambiguity that it might be seen as a
> blanket allowance for SHA-1 issuance (which multiple root programs
> categorically forbid), by reading it as "There are no restrictions on SHA-1
> issuance, if your issuing CA is a cross certificate"
> Hopefully this still works for everyone. If there's still concerns, my
> suggestion is we simply restore the original, blanket prohibition, which
> aligns with Root Program requirements, and let voting sort it out. The fact
> that it is forbidden by multiple root programs means there's clearly no
> need for a phase out of that language, which is the only reason someone
> should object.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191024/db48a604/attachment.html>

More information about the Servercert-wg mailing list