[Servercert-wg] Ballot SC42: 398-day Reuse Period

Ryan Sleevi sleevi at google.com
Thu Apr 1 20:09:48 UTC 2021

Ballot bookkeeping side: Hopefully once we get SC41 merged, we'll be able
to open this as a pull request against the CA/B Forum repo and comment
inline. I'll try to find out why
is suggesting it's a dirty merge - and try to make sure this doesn't impact
the ballot.

In Section 4.2.1, you have the following language:
"Effective 2021-10-01, the CA SHALL verify Domain Names and IP Addresses no
more than 398 days prior to Certificate issuance."

This might be read ambiguously, since the previous paragraph seems to
suggest that reuse is, in fact, accepted as "verifying". While that's
plainly not the intent, what do you think about:

"Effective 2021-10-01, for validation of Domain Names and IP Addresses
according to Section and, any reused data, document, or
completed validation MUST be obtained no more than 398 days prior to
issuing the Certificate."

Feels a little clunky, but perhaps fits in better. We could try rephrasing
the whole paragraph, but that seems a bit of a heavier task for this
ballot. But framing it in terms of reuse, since that's what this paragraph
talks about, seems to work better.

There's also the unfortunate issue of a CA interpreting "398 days and an
hour" to be "398 days" rather than "399 days". I'm not sure if we want to
try to tackle that here, but just acknowledging this used to be an issue in
the past that caused CA incidents. We could slap an "exactly" before 398
days, but that also feels like it might be superfluous.

Alternatively, a different approach would be to change the sentence to:
"Effective 2021-10-01, the maximum time permitted for reuse of data,
documents, and/or prior validations for demonstrations of domain control
and IP addresses, as specified in [Section](#3224-validation-of-domain-authorization-or-control) and [Section](#3225-authentication-for-an-ip-address), SHALL be 398 days". This
would then naturally flow with the next paragraph's restriction.

The changes to the EVG look fine, but note that they'll practically have no
effect, because of the preceding paragraph ("Except for reissuance"
creating the validation-carveout). I'm not sure if you want to tackle
11.14.1 (6). I think these are important to tackle, which is why I'd
previously tried to fix these up so that the EVGs don't appear to
override/ignore the BRs. However, it is a bit trickier. As it reads now, it
may be seen as having loopholes, so I'm curious if you're open for more
discussion and proposals to try to close those.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210401/39dfb7db/attachment.html>

More information about the Servercert-wg mailing list