[Servercert-wg] Ballot SC-52 version 2: Specify CRL Validity Intervals in Seconds (cleanup time interval style)

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Tue Jan 4 11:45:00 UTC 2022 

On another matter (decided to start a new thread to separate the two 
issues), we also observed that there is no consistency on the way time 
intervals are written. For example:

  * "one hour",
  * "sixteen hours",
  * "seven days",
  * "ten days",
  * "twelve months",
  * "366 days",
  * "367 days".

We should pick one format style using numbers like "1 hour, 16 hours, 7 
days, 10 days, 12 months". I'd be happy to go over the document and 
propose these updates on this ballot or we could schedule it for a 
cleanup ballot.

Dimitris.

On 15/12/2021 7:51 π.μ., Dimitris Zacharopoulos (HARICA) via 
Servercert-wg wrote:
>
> HARICA disagrees with adding the following text to the Baseline 
> Requirements:
>
> /"**Effective 2022-06-01:** For purposes of computing differences, a 
> difference of 3,600 seconds shall be equal to one hour, and a 
> difference of 86,400 seconds shall be equal to one day, ignoring leap 
> seconds. Any amount of time greater than this, including fractional 
> seconds, shall represent an additional unit of measure, such as an 
> additional hour or additional day."/
>
> My team has advised me that when using the standard (vixie) cron, an 
> admin cannot state that an action must take place:
>
>   * every x minutes, for x>60
>   * every x hours, for x>24
>   * every x days, for x>1
>   * every x months, for x>12
>
> An admin would need to create custom scripts to overcome these 
> problems, thus creating a possibility of human error. It is also not 
> possible to specify seconds. This is just one of the tools that can be 
> used by admins. Windows has the same limitations in the "tasks" 
> scheduling tool.
>
> This is a very simple indication that such a change in the 
> requirements will require significant analysis and implementation 
> effort by all CAs without good justification.
>
> HARICA still doesn't see a clear benefit from generalizing the 
> expectation that all time intervals in the BRs, EVGs, NetSec should be 
> evaluated at the level of 1 second which is an "expensive" compliance 
> obligation and should be applied/enforced in areas where it is really 
> needed. The necessity may come from interoperability risks as we have 
> seen for the validity of certificates and OCSP/CRL. If other areas 
> seem appropriate for this level of accuracy, we should identify, 
> justify and add to the requirements instead of making a general 
> requirement for such an expensive operation.
>
>
> Dimitris.
>
> On 2/12/2021 5:20 μ.μ., Tim Hollebeek via Servercert-wg wrote:
>>
>> Ballot SC-52 version 2: Specify CRL Validity Intervals in Seconds
>>
>> Purpose of Ballot: Similar to Ballot SC-31 which modified the 
>> specification of
>>
>> OCSP validity periods to be in seconds, this ballot modifies the 
>> specification
>>
>> of CRL validity periods to be in seconds to avoid confusion about 
>> exactly which
>>
>> periods are valid and which are not.  The ballot also specifies that 
>> other time
>>
>> periods should be handled the same way, which has broader impacts 
>> throughout
>>
>> the document.
>>
>> These changes should not be interpreted as implying that missing a 
>> deadline by
>>
>> a few seconds is any more or less important than it previously was.  The
>>
>> changes are merely intended to provide additional clarity and 
>> precision about
>>
>> exactly where the deadlines are.
>>
>> The following motion has been proposed by Tim Hollebeek of DigiCert 
>> and endorsed
>>
>> by Trevoli Ponds-White of Amazon and Kati Davids of GoDaddy.
>>
>> ---MOTION BEGINS---
>>
>> This ballot modifies the “Baseline Requirements for the Issuance and 
>> Management
>>
>> of Publicly-Trusted Certificates” (“Baseline Requirements”), based on 
>> Version 1.8.0:
>>
>> MODIFY the Baseline Requirements as specified in the following Redline:
>>
>> https://github.com/cabforum/servercert/compare/cda0f92ee70121fd5d692685b97ebb6669c74fb7...2b9cf93af71233095f370cdc1d1b587166da4b07
>>
>> ---MOTION ENDS---
>>
>> This ballot proposes a Final Maintenance Guideline.
>>
>> The procedure for approval of this ballot is as follows:
>>
>> Discussion (7+ days)
>>
>> Start Time: December 2, 2021 10:30 am Eastern
>>
>> End Time: No earlier than December 9, 2021 10:30 am Eastern
>>
>> Vote for approval (7 days)
>>
>> Start Time: TBD
>>
>> End Time: TBD
>>
>>
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20220104/7c702ccb/attachment.html>

More information about the Servercert-wg mailing list