[Servercert-wg] Discussion Period Begins: Ballot SC-061v3: New CRL Entries must have a Revocation Reason Code
Aaron Gable
aaron at letsencrypt.org
Wed Feb 1 17:22:22 UTC 2023
Wonderful, thank you! I have no further comments.
Aaron
On Tue, Jan 31, 2023 at 4:08 PM Ben Wilson <bwilson at mozilla.com> wrote:
> Thanks, Aaron - the numbering change was unintentional, so I fixed that,
> and I made other changes as requested. See
>
> https://github.com/BenWilson-Mozilla/servercert/commit/f1ed2357c6c9fe9bcedaec040582f872e0f519de
> <https://github.com/BenWilson-Mozilla/servercert/commit/f1ed2357c6c9fe9bcedaec040582f872e0f519de>
> Before I re-announce the discussion period, does anyone else have other
> changes that they would like to see?
> Thanks,
> Ben
>
> On Mon, Jan 30, 2023 at 9:58 AM Aaron Gable <aaron at letsencrypt.org> wrote:
>
>> The current redline appears to undo the recent renumbering of section
>> 4.9.1.1, causing it to have two different instances of paragraphs 1 through
>> 5. These were renumbered in Ballot SC-56 Cleanup[1]. Can we please preserve
>> the new numbering?
>>
>> Additional notes:
>> - In 4.1.1.1 (1), perhaps "without specifying a CRLReason", rather than
>> "without giving a reason"? A Subscriber might state "Please revoke this
>> because I accidentally deleted the keys", in which case they are giving a
>> reason, but the best revocation reason is still 0 (Unspecified). One might
>> believe that Superseded is applicable in this case, but that revocation
>> request does not necessarily indicate that the Subscriber has also replaced
>> the certificate.
>> - A very minor comment, but there's inconsistent phrasing between the
>> five revocation reasons in Section 7.2.2: the first begins "Indicates
>> that..." while the others begin "It is intended to be used...". Can we give
>> all five of these entries the same structure/phrasing?
>>
>> Aaron
>>
>> [1]
>> https://github.com/cabforum/servercert/pull/401/files#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR1214-R1224
>>
>> On Thu, Jan 19, 2023 at 1:55 PM Ben Wilson via Servercert-wg <
>> servercert-wg at cabforum.org> wrote:
>>
>>> All,
>>>
>>> This is version 3 of Ballot SC-061. I've moved some of the language down
>>> into section 7.2.2, and I've added back in two paragraphs that have been in
>>> the original Mozilla Root Store Policy regarding changing the reason code
>>> and revocation date for key compromise. I also changed the compliance date
>>> to July 15, 2023. (The compliance date for CAs in Mozilla's program was
>>> Oct. 1, 2022.)
>>>
>>> *Purpose of Ballot SC-061 v.3*
>>>
>>> The purpose of this ballot is to modify sections 4.9.1.1 and 7.2.2 of
>>> the Baseline Requirements to incorporate the CRL reason codes that Mozilla
>>> has adopted in section 6.1.1 of the Mozilla Root Store Policy.
>>>
>>> *Motion*
>>>
>>>
>>> The following motion has been proposed by Ben Wilson of Mozilla and
>>> endorsed by David Kluge of Google Trust Services and Kiran Tummala of
>>> Microsoft.
>>>
>>> *—–Motion Begins—–*
>>>
>>> This ballot modifies sections 4.9.1.1 and 7.2.2 of the “Baseline
>>> Requirements for the Issuance and Management of Publicly-Trusted
>>> Certificates” as defined in the following redline, based on Version 1.8.6:
>>>
>>>
>>> https://github.com/cabforum/servercert/compare/2c63814fa7f9f7c477c74a6bfbeb57e0fcc5dd5b..b1a3d9b491c9744a50a0e194678d76c639d6076b
>>>
>>>
>>> *—–Motion Ends—–*
>>>
>>> This ballot proposes a Final Maintenance Guideline. The procedure for
>>> approval of this ballot is as follows:
>>>
>>> Discussion (7+ days)
>>>
>>> Start Time: January 19, 2023 22:00 UTC
>>>
>>> End Time: January 26, 2023 22:00 UTC
>>>
>>>
>>>
>>> Vote for approval (7 days)
>>>
>>> Start Time: January 26, 2023 TBD
>>>
>>> End Time: February 2, 2023 TBD
>>> _______________________________________________
>>> Servercert-wg mailing list
>>> Servercert-wg at cabforum.org
>>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230201/8e5023be/attachment.html>
More information about the Servercert-wg
mailing list