[Servercert-wg] Ballot SC-52 version 2: Specify CRL Validity Intervals in Seconds

Ryan Sleevi sleevi at google.com
Fri Jan 7 17:33:20 UTC 2022

On Fri, Jan 7, 2022 at 12:14 PM Dimitris Zacharopoulos (HARICA) <
dzacharo at harica.gr> wrote:

> The 10% was just a suggestion. Later down the thread, I asked for members
> to provide more reasonable slack. Judging from the earlier discussions, it
> would make sense to update 3 months to 92 days, 6 months to...  (2x92)=184
> days??? and so on. However, if the intent of the ballot proposers is only
> to touch upon "hours" and "days", then we can clarify and move on leaving
> the week, month, year for another ballot.

Gotcha! I think for things where we expect/accept calendrical triggers,
then (max value + 1 measure) is OK. But that doesn't necessarily mean they
all need to be bumped there - e.g. something like 30 days or 90 days may be
fine as-is. However, the intent with the original suggestion was to save
any conversions of the NCSSRs for a separate discussion, and just focus on
the question of hours and days. If the current proposal is just the
addition of "of hours and/or days", that seems reasonable.

> I believe it will help, because we continue to see CAs choosing to
> implement the absolute minimum despite having discussed the risks in
> mailing threads, teleconferences and F2F meetings. They usually learn it
> the hard way through security incidents and feel "surprised" that missing 1
> second can be taken so seriously. Had they known how serious this is from
> the very beginning of reading these standards, some things would probably
> be designed differently. This also applies to software engineers that
> implement CA software.

I think the 1 second precision is a misunderstanding of why it's taken
seriously. Part of the seriousness if that the CA designed their systems to
do "the minimum possible" (or, put differently, "maximum allowed"). It
doesn't seem unreasonable to have that as the base expectation for CAs. I
originally understood your motivation to be making it easier for new CAs,
but even a new CA doesn't need to follow mailing threads, teleconferences,
or F2F meetings to understand that they're "Baseline" requirements. I
totally appreciate the view with specific elements/instances, but I guess
my point was moreso that you shouldn't have to have any of the specific
context to understand the general principle. That said, it sounds like
we're in agreement that reiterating the general principle (for all the
requirements) could help make sure to highlight that.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20220107/9b4dfd58/attachment.html>

More information about the Servercert-wg mailing list