[Servercert-wg] Discussion Period Begins: Ballot SC-061v3: New CRL Entries must have a Revocation Reason Code

Ben Wilson bwilson at mozilla.com
Wed Feb 1 18:01:23 UTC 2023


Thanks, Wendy.
Do others want to chime in on these points?
Ben

On Wed, Feb 1, 2023, 10:45 AM Wendy Brown - QT3LB-C <wendy.brown at gsa.gov>
wrote:

> Superseded for these 2 reasons doesn't seem appropriate unless you also
> add that a new certificate was issued or at least requested, as a
> replacement.
>
> 6. The Certificate no longer complies with the requirements of [Section
> 6.1.5](#615-key-sizes) and [Section
> 6.1.6](#616-public-key-parameters-generation-and-quality-checking)
> (CRLReason #4, superseded);
> and
> 12. The CA is made aware that the Certificate was not issued in accordance
> with these Requirements or the CA's Certificate Policy or Certification
> Practice Statement (CRLReason #4, superseded);
>
>
> The definition isn't clear that a new cert has been issued (or even
> requested) based on the highlighted text - was it supposed to say that the
> CA issued a replacement certificate because it has reasonable evidence
> ....? Or should it just have ended with a . before the ", or the CA has ..."
>
>   * **superseded (RFC 5280 CRLReason #4):** Indicates that the Certificate
> Subscriber has requested a new Certificate to replace an existing
> Certificate, or the CA has reasonable evidence that the validation of
> domain authorization or control for any fully‐qualified domain name or IP
> address in the Certificate should not be relied upon or the CA has revoked
> the Certificate for compliance reasons such as the Certificate does not
> comply with these Baseline Requirements or the CA's CP or CPS;
>
> Thanks,
>
> Wendy
>
>
> Wendy Brown
>
> Supporting GSA
>
> FPKIMA Technical Liaison
>
> Protiviti Government Services
> 703-965-2990 (cell)
>
>
> On Wed, Feb 1, 2023 at 12:22 PM Aaron Gable via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
>> Wonderful, thank you! I have no further comments.
>>
>> Aaron
>>
>> On Tue, Jan 31, 2023 at 4:08 PM Ben Wilson <bwilson at mozilla.com> wrote:
>>
>>> Thanks, Aaron - the numbering change was unintentional, so I fixed that,
>>> and I made other changes as requested.  See
>>>
>>> https://github.com/BenWilson-Mozilla/servercert/commit/f1ed2357c6c9fe9bcedaec040582f872e0f519de
>>> <https://github.com/BenWilson-Mozilla/servercert/commit/f1ed2357c6c9fe9bcedaec040582f872e0f519de>
>>> Before I re-announce the discussion period, does anyone else have other
>>> changes that they would like to see?
>>> Thanks,
>>> Ben
>>>
>>> On Mon, Jan 30, 2023 at 9:58 AM Aaron Gable <aaron at letsencrypt.org>
>>> wrote:
>>>
>>>> The current redline appears to undo the recent renumbering of section
>>>> 4.9.1.1, causing it to have two different instances of paragraphs 1 through
>>>> 5. These were renumbered in Ballot SC-56 Cleanup[1]. Can we please preserve
>>>> the new numbering?
>>>>
>>>> Additional notes:
>>>> - In 4.1.1.1 (1), perhaps "without specifying a CRLReason", rather than
>>>> "without giving a reason"? A Subscriber might state "Please revoke this
>>>> because I accidentally deleted the keys", in which case they are giving a
>>>> reason, but the best revocation reason is still 0 (Unspecified). One might
>>>> believe that Superseded is applicable in this case, but that revocation
>>>> request does not necessarily indicate that the Subscriber has also replaced
>>>> the certificate.
>>>> - A very minor comment, but there's inconsistent phrasing between the
>>>> five revocation reasons in Section 7.2.2: the first begins "Indicates
>>>> that..." while the others begin "It is intended to be used...". Can we give
>>>> all five of these entries the same structure/phrasing?
>>>>
>>>> Aaron
>>>>
>>>> [1]
>>>> https://github.com/cabforum/servercert/pull/401/files#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR1214-R1224
>>>>
>>>> On Thu, Jan 19, 2023 at 1:55 PM Ben Wilson via Servercert-wg <
>>>> servercert-wg at cabforum.org> wrote:
>>>>
>>>>> All,
>>>>>
>>>>> This is version 3 of Ballot SC-061. I've moved some of the language
>>>>> down into section 7.2.2, and I've added back in two paragraphs that have
>>>>> been in the original Mozilla Root Store Policy regarding changing the
>>>>> reason code and revocation date for key compromise.  I also changed the
>>>>> compliance date to July 15, 2023. (The compliance date for CAs in Mozilla's
>>>>> program was Oct. 1, 2022.)
>>>>>
>>>>> *Purpose of Ballot SC-061 v.3*
>>>>>
>>>>> The purpose of this ballot is to modify sections 4.9.1.1 and 7.2.2 of
>>>>> the Baseline Requirements to incorporate the CRL reason codes that Mozilla
>>>>> has adopted in section 6.1.1 of the Mozilla Root Store Policy.
>>>>>
>>>>> *Motion*
>>>>>
>>>>>
>>>>> The following motion has been proposed by Ben Wilson of Mozilla and
>>>>> endorsed by David Kluge of Google Trust Services and Kiran Tummala of
>>>>> Microsoft.
>>>>>
>>>>> *—–Motion Begins—–*
>>>>>
>>>>> This ballot modifies sections 4.9.1.1 and 7.2.2 of the “Baseline
>>>>> Requirements for the Issuance and Management of Publicly-Trusted
>>>>> Certificates” as defined in the following redline, based on Version 1.8.6:
>>>>>
>>>>>
>>>>> https://github.com/cabforum/servercert/compare/2c63814fa7f9f7c477c74a6bfbeb57e0fcc5dd5b..b1a3d9b491c9744a50a0e194678d76c639d6076b
>>>>>
>>>>>
>>>>>  *—–Motion Ends—–*
>>>>>
>>>>> This ballot proposes a Final Maintenance Guideline. The procedure for
>>>>> approval of this ballot is as follows:
>>>>>
>>>>> Discussion (7+ days)
>>>>>
>>>>> Start Time:  January 19, 2023 22:00 UTC
>>>>>
>>>>> End Time: January 26, 2023 22:00 UTC
>>>>>
>>>>>
>>>>>
>>>>> Vote for approval (7 days)
>>>>>
>>>>> Start Time:  January 26, 2023 TBD
>>>>>
>>>>> End Time: February 2, 2023 TBD
>>>>> _______________________________________________
>>>>> Servercert-wg mailing list
>>>>> Servercert-wg at cabforum.org
>>>>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>>>>
>>>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230201/fe4113b3/attachment.html>


More information about the Servercert-wg mailing list