[Servercert-wg] Proposal to Incorporate Mozilla's CRL Revocation Reason Code Requirements into the BRs
Ben Wilson
bwilson at mozilla.com
Thu Nov 10 23:52:19 UTC 2022
All,
Here is another iteration of a proposal to incorporate Mozilla's CRL reason
code requirements into the Baseline Requirements.
I am open to your suggestions and recommendations on how to make this
better.
I'll put another draft in GitHub again after I receive feedback.
Thanks,
Ben
On Tue, Sep 20, 2022 at 10:16 PM Ben Wilson via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> Hi Corey,
>
> See responses below.
>
> On Wed, Sep 14, 2022 at 11:38 AM Corey Bonnell <Corey.Bonnell at digicert.com>
> wrote:
>
>> Hi Ben,
>>
>> It appears the ballot text has potential divergences from the published
>> MRSP:
>>
>>
>>
> 1. This ballot prohibits other CRLReasons from appearing in CRLs. This is
>> meaningfully different from MRSP, where the new requirements are applicable
>> solely to revocations that occur on or after the effective date.
>>
>
> I think this can be fixed with some language changes.
>
> 2. There is no requirement to document reason codes in the Subscriber
>> Agreement, whereas there is in MRSP. Is this change intentional?
>>
>
> Not exactly an intentional elimination of the requirement, but I can make
> the ballot consistent with the MRSP with some language changes as well. My
> idea was to suggest that CAs could incorporate the necessary information
> "by reference" so that the CRL reason code explanations wouldn't have to
> appear fully in Subscriber Agreements or Terms of Use.
>
>
>> 3. Regarding 24-hour revocation reason #5: it appears that
>> privilegeWithdrawn is now allowed. According to MRSP, only superseded is
>> appropriate for this case.
>>
>
> For consistency, I'll change this to superseded only.
>
>
>> 4. Regarding 5-day revocation reason #9: this is not a scenario listed in
>> MRSP. In other words, this revocation scenario must be denoted as
>> “unspecified” as the CRLReason under MRSP. Therefore, it is not possible to
>> satisfy both the proposed BR text and MRSP.
>>
>
> That's probably the approach to take - thanks. Another possibility is to
> move this revocation reason down to 4.9.1.2 - CAs should revoke the
> intermediate CA certificate(s) rather than all end entity certificates.
>
> 5. Regarding 5-day revocation reason #10: this appears to be like
>> scenario #7, but it is different in that revocation may be required even if
>> there’s no violation of the CP/CPS. I don’t think this scenario is
>> enumerated in MRSP, so it is not possible to specify a reason code that
>> satisfies both MRSP and this ballot for this scenario.
>>
>
> Kathleen and I think that this reason is in the MRSP under the section for
> the superseded CRLReason - "the CA operator has revoked the certificate
> for compliance reasons such as the certificate does not comply with this
> policy, the CA/Browser Forum's Baseline Requirements, or the CA operator’s
> CP or CPS".
>
>
>>
>> More generally, the Defined Term “Certificate” should be used throughout
>> the ballot for consistency.
>>
>
> Agreed. Thanks.
>
>
>>
>>
>> Thanks,
>>
>> Corey
>>
>
> Thanks,
> Ben
>
>>
>>
>> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> *On Behalf Of
>> *Ben Wilson via Servercert-wg
>> *Sent:* Tuesday, September 13, 2022 11:37 PM
>> *To:* Ben Wilson <bwilson at mozilla.com>; CA/B Forum Server Certificate WG
>> Public Discussion List <servercert-wg at cabforum.org>
>> *Subject:* Re: [Servercert-wg] Proposal to Incorporate Mozilla's CRL
>> Revocation Reason Code Requirements into the BRs
>>
>>
>>
>> Here is the most current comparison:
>>
>>
>>
>>
>> https://github.com/cabforum/servercert/compare/bbca71465ed8a8a76383086039f52c750009286a..1699612e5157423f607d67cc8ab9dc3a1d52b318
>>
>>
>>
>> Ben
>>
>>
>>
>> On Mon, Sep 12, 2022 at 11:00 AM Ben Wilson <bwilson at mozilla.com> wrote:
>>
>> Here is another edit that tries to make minimal changes to BR section
>> 4.9.1.1.
>>
>>
>> <http://goog_144053405>
>>
>>
>> https://github.com/BenWilson-Mozilla/servercert/commit/94a07d08855cf489a2bdddff7d8a9490969d5d06
>>
>>
>>
>> Ben
>>
>>
>>
>> On Mon, Sep 12, 2022 at 9:51 AM Ben Wilson via Servercert-wg <
>> servercert-wg at cabforum.org> wrote:
>>
>> Thanks, Dimitris. I'll work on that approach and get something back to
>> you soon.
>>
>> Ben
>>
>>
>>
>> On Mon, Sep 12, 2022 at 2:56 AM Dimitris Zacharopoulos (HARICA) <
>> dzacharo at harica.gr> wrote:
>>
>> Hi Ben,
>>
>> After a quick reading, I noticed that the subsections are not symmetrical
>> and a bit inconsistent. For example, some of them contain the statement
>> "the CA SHOULD revoke a certificate within 24 hours and MUST revoke a
>> Certificate within 5 days", some do not.
>>
>> Other examples:
>>
>> - 4.9.1.1.1, is labeled "Subscriber-Requested Revocation", however
>> there are other subsections that are also "Subscriber-Requested". This
>> separation seems confusing.
>> - 4.9.1.1.4 is about unreliable validation but most of the remaining
>> subsections are titled after the RFC 5280 revocation reasons.
>>
>> Finally, it's not very clear when the "unspecified (0)" reason must be
>> used because of section 4.9.1.1.8 (Other Circumstances) which doesn't point
>> to a revocation reason.
>>
>> From my perspective, I'm not sure if breaking down each subsection is
>> more helpful for reading the revocation requirements than the current
>> listing. I understand there is a desire to copy the MRSP language as much
>> as possible but perhaps we need to consider a less "intrusive" set of
>> changes to a section that CAs already have a difficult time reading and
>> implementing.
>>
>> IMO we either need to describe the revocation scenario and point to the
>> RFC 5280 revocation reason (closer to what the BRs have today), or start
>> with the RFC 5280 revocation reasons and enumerate the revocation scenarios
>> (closer to what MRSP has today). I find it confusing to mix the two
>> approaches.
>>
>>
>> Thanks,
>> Dimitris.
>>
>> On 12/9/2022 6:32 π.μ., Ben Wilson wrote:
>>
>> For review - here is another proposal that takes BR section 4.9.1.1 and
>> puts the 24-hour and 5-day revocation times into subsections that match the
>> CRL reason codes.
>>
>>
>>
>>
>> https://github.com/BenWilson-Mozilla/servercert/commit/b185a28fcc20d5853747e4506103823e3dc7c282
>>
>>
>>
>> Ben
>>
>>
>>
>> On Thu, Sep 8, 2022 at 12:05 PM Dimitris Zacharopoulos (HARICA) <
>> dzacharo at harica.gr> wrote:
>>
>> Good point.
>>
>> s/
>>
>>
>> *expected/shall use/*
>>
>> On 8/9/2022 8:26 μ.μ., Tim Hollebeek wrote:
>>
>> I would prefer standard 2119 language instead of an “expectation”. There
>> are no documented rules for what it means for a CRLReason to be expected to
>> be a certain value.
>>
>>
>>
>> -Tim
>>
>>
>>
>> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org>
>> <servercert-wg-bounces at cabforum.org> *On Behalf Of *Dimitris
>> Zacharopoulos (HARICA) via Servercert-wg
>> *Sent:* Thursday, September 8, 2022 3:21 AM
>> *To:* Ben Wilson <bwilson at mozilla.com> <bwilson at mozilla.com>; CA/B Forum
>> Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
>> <servercert-wg at cabforum.org>
>> *Subject:* Re: [Servercert-wg] Proposal to Incorporate Mozilla's CRL
>> Revocation Reason Code Requirements into the BRs
>>
>>
>>
>>
>>
>> On 7/9/2022 8:22 μ.μ., Ben Wilson wrote:
>>
>> Good suggestion. I can re-work a proposal that re-writes BR sec. 4.9.1.1
>> to re-group the revocation reasons into the reason codes that should be
>> used. Is that what you were thinking?
>>
>>
>> Yes. We should also try to keep the current BRs prioritization. The
>> section begins with the cases where the Certificate(s) need to be revoked
>> within 24h and then moves to the 5-day revocation cases.
>>
>> We could walk this list down making sure that all Mozilla cases are
>> listed (add the ones that are not) and add the expected revocationReason
>> for each case. For example:
>>
>> *The CA SHALL revoke a Certificate within 24 hours if one or more of the
>> following occurs:*
>>
>> 1. *The Subscriber requests in writing that the CA revoke the
>> Certificate (expected CRLReason:unspecified);*
>> 2. *The Subscriber notifies the CA that the original certificate
>> request was not authorized and does not retroactively grant authorization
>> (expected CRLReason:privilegeWithdrawn);*
>> 3. *The CA obtains evidence that the Subscriber's Private Key
>> corresponding to the Public Key in the Certificate suffered a Key
>> Compromise (expected CRLReason:keyCompromise);*
>> 4. *The CA is made aware of a demonstrated or proven method that can
>> easily compute the Subscriber's Private Key based on the Public Key in the
>> Certificate (such as a Debian weak key, see *
>> *https://wiki.debian.org/SSLkeys* <https://wiki.debian.org/SSLkeys>*)
>> (expected CRLReason:keyCompromise);*
>> 5. *The CA obtains evidence that the validation of domain
>> authorization or control for any Fully-Qualified Domain Name or IP address
>> in the Certificate should not be relied upon (expected CRLReason:
>> superseded).*
>>
>> and so on.
>>
>> Does that work?
>>
>> Dimitris.
>>
>> Thanks,
>>
>> Ben
>>
>>
>>
>> On Wed, Sep 7, 2022 at 6:01 AM Dimitris Zacharopoulos (HARICA) via
>> Servercert-wg <servercert-wg at cabforum.org> wrote:
>>
>> Hi Ben,
>>
>> I believe the proposal, as written, causes confusion in regards to
>> 4.9.1.1. Some of the reasons described in your proposal are already
>> mentioned in 4.9.1.1. Perhaps we should work some more to "unify" the two
>> sections.
>>
>> My proposal would be to update 4.9.1.1 and include the expected CRLReason
>> after each case.
>>
>>
>> Thoughts?
>> Dimitris.
>>
>> On 6/9/2022 8:13 μ.μ., Ben Wilson via Servercert-wg wrote:
>>
>> All,
>>
>> I'm looking for one more endorser.
>>
>> Thanks,
>>
>> Ben
>>
>>
>>
>> On Fri, Jul 29, 2022 at 12:40 PM Ben Wilson via Servercert-wg <
>> servercert-wg at cabforum.org> wrote:
>>
>> All,
>>
>>
>>
>> I have created a proposal in Github to incorporate Mozilla's CRL
>> Revocation Reason Code requirements into the Baseline Requirements.
>>
>>
>>
>> See https://github.com/cabforum/servercert/issues/377
>>
>>
>>
>>
>> https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5
>>
>>
>>
>> I'm looking for comments, suggestions, and two endorsers.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Ben
>>
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>
>>
>>
>> _______________________________________________
>>
>> Servercert-wg mailing list
>>
>> Servercert-wg at cabforum.org
>>
>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>
>>
>>
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>
>> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20221110/edb66862/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CRL-Reason-Codes.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 24906 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20221110/edb66862/attachment-0001.docx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CRL-Reason-Codes.pdf
Type: application/pdf
Size: 76649 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20221110/edb66862/attachment-0001.pdf>
More information about the Servercert-wg
mailing list