[Servercert-wg] Proposal to Incorporate Mozilla's CRL Revocation Reason Code Requirements into the BRs

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Thu Jan 5 17:05:54 UTC 2023


Hi Ben,

I saw your comments with proposed language, and here are my thoughts, 
in-line:

On 4/1/2023 8:50 μ.μ., Ben Wilson wrote:
> Hi Dimitris,
>
> I have submitted two comments that I think need to be resolved.
>
> I think the first "1" should be written as:
>
> The Subscriber requests in writing, /*without giving a reason required 
> to be specified by this section 4.9.1.1,*/ that the CA revoke the ..."
>

I prefer your earlier comment 
<https://github.com/cabforum/servercert/pull/405/files#r1061778056> 
which says

"1. The Subscriber requests in writing, /*without giving a reason,*/ 
that the CA revoke the ..."

I believe this language is simpler as long as this option is available 
to Subscribers that just want to revoke a certificate and don't want to 
suggest a specific reason. I assume this is still allowed.


> Number 10 in the second list should be written as:
>
> "10. Revocation is required by the CA's Certificate Policy and/or 
> Certification Practice Statement /*for a reason that is not otherwise 
> required to be specified by this section 4.9.1.1*/ ..."

+1

If you are ok with the first option, I will update the PR.

Thanks!
Dimitris.

>
> Ben
>
> On Tue, Nov 22, 2022 at 1:12 AM Dimitris Zacharopoulos (HARICA) 
> <dzacharo at harica.gr> wrote:
>
>     I created https://github.com/cabforum/servercert/pull/405/files
>     which includes some elements from your proposal and MRSP language.
>
>     I also did a comparison of BRs section 4.9.1.1 revocation use
>     cases that are already mentioned in MRSP section 6.1.1 (attached).
>     There are only a few revocation use cases mentioned in MRSP that
>     are not explicitly described in 4.9.1.1 so we could try adding
>     those to 4.9.1.1 for full consistency.
>
>     This proposal:
>
>       * explains the expectations for each reasonCode
>       * preserves the existing 5 revocation use cases for 24h and the
>         11 cases for 5-day that CAs/auditors are already familiar
>         with, and adds an explicit reasonCode per MRSP.
>
>     This presentation format is already familiar to CAs, less
>     ambiguous, and IMO minimizes the risk of implementing incorrectly.
>
>
>     Thanks,
>     Dimitris.
>
>
>     On 17/11/2022 5:46 μ.μ., Ben Wilson wrote:
>>     Sounds good. Thanks, Dimitris.
>>     Ben
>>
>>     On Wed, Nov 16, 2022 at 11:23 PM Dimitris Zacharopoulos (HARICA)
>>     <dzacharo at harica.gr> wrote:
>>
>>
>>
>>         On 15/11/2022 6:11 μ.μ., Ben Wilson wrote:
>>>         That could simplify it, but Mozilla's CRL Reason Code rules
>>>         would still supersede that section.
>>
>>         I don't see it as "superseding" but differently "presented".
>>         Mozilla chose that particular presentation format without
>>         taking into consideration the time limits for revocation.
>>         MRSP
>>         <https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md#611-end-entity-tls-certificate-crlrevocation-reasons>only
>>         mentions the reasons and expectations for using such reasons.
>>         The BRs are more explicit in the use cases and it's more
>>         important for the CA to know which cases must be revoked
>>         within 24 hours and which ones must be revoked within 5 days.
>>         It's a better "starting point" for CAs, and that's that they
>>         are used to follow.
>>
>>         I believe we can successfully update 4.9.1.1 to aligned with
>>         MRSP section 6.1 without changing the current presentation
>>         format of revocation use cases in the BRs. If you are open to
>>         the idea, I can work with you on a more concrete proposal and
>>         see how it looks.
>>
>>
>>         Thanks,
>>         Dimitris.
>>
>>>
>>>         On Tue, Nov 15, 2022 at 2:22 AM Dimitris Zacharopoulos
>>>         (HARICA) via Servercert-wg <servercert-wg at cabforum.org> wrote:
>>>
>>>             On 15/11/2022 1:02 π.μ., Ben Wilson via Servercert-wg wrote:
>>>>             Thanks.
>>>>
>>>>             Any additional thoughts, recommendations, etc.?
>>>
>>>             Hi Ben,
>>>
>>>             I assume that the use cases described within the
>>>             parenthesis under 4.9.1.1 are "examples" which means
>>>             that the "i.e." should be replaced with "e.g.".
>>>
>>>             I am not very much in favor of the breakown of
>>>             subsections for each revocation reasonCode which repeats
>>>             the language "SHOULD revoke within 24 hours and SHALL
>>>             revoke within 5 days" in various cases, and gets
>>>             especially confusing when the Subscriber requests in
>>>             writing, which can apply to several reasonCodes.
>>>
>>>             The previous attempt keeping the existing structure that
>>>             CAs/Auditors are already familiar with, seems like a
>>>             better approach. That's because CAs already have
>>>             controls in place to handle "specific revocation use
>>>             cases" as they are listed in the current sections
>>>             4.9.1.1 and 4.9.1.2. All we need to do now is map those
>>>             known cases to a specific RFC5280 reasonCode.
>>>
>>>             If additional revocation use cases have been documented
>>>             in MRSP, we can add those in 4.9.1.1/2
>>>             <http://4.9.1.1/2> as needed.
>>>
>>>             What do others think? Should we try to minimize the
>>>             changes to 4.9.1.1 and 4.9.1.2 or do a complete
>>>             restructuring?
>>>
>>>
>>>             Thanks,
>>>             Dimitris.
>>>
>>>
>>>>
>>>>             Ben
>>>>
>>>>             On Thu, Nov 10, 2022 at 11:33 PM Roman Fischer via
>>>>             Servercert-wg <servercert-wg at cabforum.org> wrote:
>>>>
>>>>                 Dear Ben,
>>>>
>>>>                 Thanks for your effort to make it better
>>>>                 understandable. Even for me as a non-native speaker
>>>>                 it’s now much clearer when to use which reasonCode
>>>>                 (but it’s still very complex!).
>>>>
>>>>                 Could the section
>>>>
>>>>                 ** The privilegeWithdrawn reasonCode does not need
>>>>                 to be made available to the Subscriber as a
>>>>                 revocation reason option, because the use of this
>>>>                 reasonCode is determined by the CA and not the
>>>>                 Subscriber.
>>>>
>>>>                 be reformulated to use one of the RFC 2119 terms?
>>>>                 Maybe your intention was “SHALL NOT be made available”?
>>>>
>>>>                 Kind regards
>>>>                 Roman Fischer, SwissSign
>>>>
>>>>                 *From:*Servercert-wg
>>>>                 <servercert-wg-bounces at cabforum.org> *On Behalf Of
>>>>                 *Ben Wilson via Servercert-wg
>>>>                 *Sent:* Freitag, 11. November 2022 00:53
>>>>                 *To:* CA/B Forum Server Certificate WG Public
>>>>                 Discussion List <servercert-wg at cabforum.org>
>>>>                 *Subject:* Re: [Servercert-wg] Proposal to
>>>>                 Incorporate Mozilla's CRL Revocation Reason Code
>>>>                 Requirements into the BRs
>>>>
>>>>                 All,
>>>>
>>>>                 Here is another iteration of a proposal to
>>>>                 incorporate Mozilla's CRL reason code requirements
>>>>                 into the Baseline Requirements.
>>>>
>>>>                 I am open to your suggestions and recommendations
>>>>                 on how to make this better.
>>>>
>>>>                 I'll put another draft in GitHub again after I
>>>>                 receive feedback.
>>>>
>>>>                 Thanks,
>>>>
>>>>                 Ben
>>>>
>>>>                 On Tue, Sep 20, 2022 at 10:16 PM Ben Wilson via
>>>>                 Servercert-wg <servercert-wg at cabforum.org> wrote:
>>>>
>>>>                     Hi Corey,
>>>>
>>>>                     See responses below.
>>>>
>>>>                     On Wed, Sep 14, 2022 at 11:38 AM Corey Bonnell
>>>>                     <Corey.Bonnell at digicert.com> wrote:
>>>>
>>>>                         Hi Ben,
>>>>
>>>>                         It appears the ballot text has potential
>>>>                         divergences from the published MRSP:
>>>>
>>>>                         1. This ballot prohibits other CRLReasons
>>>>                         from appearing in CRLs. This is
>>>>                         meaningfully different from MRSP, where the
>>>>                         new requirements are applicable solely to
>>>>                         revocations that occur on or after the
>>>>                         effective date.
>>>>
>>>>                      I think this can be fixed with some language
>>>>                     changes.
>>>>
>>>>                         2. There is no requirement to document
>>>>                         reason codes in the Subscriber Agreement,
>>>>                         whereas there is in MRSP. Is this change
>>>>                         intentional?
>>>>
>>>>                     Not exactly an intentional elimination of the
>>>>                     requirement, but I can make the ballot
>>>>                     consistent with the MRSP with some language
>>>>                     changes as well. My idea was to suggest that
>>>>                     CAs could incorporate the necessary information
>>>>                     "by reference" so that the CRL reason code
>>>>                     explanations wouldn't have to appear fully in
>>>>                     Subscriber Agreements or Terms of Use.
>>>>
>>>>                         3. Regarding 24-hour revocation reason #5:
>>>>                         it appears that privilegeWithdrawn is now
>>>>                         allowed. According to MRSP, only superseded
>>>>                         is appropriate for this case.
>>>>
>>>>                     For consistency, I'll change this to superseded
>>>>                     only.
>>>>
>>>>                         4. Regarding 5-day revocation reason #9:
>>>>                         this is not a scenario listed in MRSP. In
>>>>                         other words, this revocation scenario must
>>>>                         be denoted as “unspecified” as the
>>>>                         CRLReason under MRSP. Therefore, it is not
>>>>                         possible to satisfy both the proposed BR
>>>>                         text and MRSP.
>>>>
>>>>                     That's probably the approach to take - thanks. 
>>>>                     Another possibility is to move this revocation
>>>>                     reason down to 4.9.1.2 - CAs should revoke the
>>>>                     intermediate CA certificate(s) rather than all
>>>>                     end entity certificates.
>>>>
>>>>                         5. Regarding 5-day revocation reason #10:
>>>>                         this appears to be like scenario #7, but it
>>>>                         is different in that revocation may be
>>>>                         required even if there’s no violation of
>>>>                         the CP/CPS. I don’t think this scenario is
>>>>                         enumerated in MRSP, so it is not possible
>>>>                         to specify a reason code that satisfies
>>>>                         both MRSP and this ballot for this scenario.
>>>>
>>>>                     Kathleen and I think that this reason is in the
>>>>                     MRSP under the section for the superseded
>>>>                     CRLReason -  "the CA operator has revoked the
>>>>                     certificate for compliance reasons such as the
>>>>                     certificate does not comply with this policy,
>>>>                     the CA/Browser Forum's Baseline Requirements,
>>>>                     or the CA operator’s CP or CPS".
>>>>
>>>>                         More generally, the Defined Term
>>>>                         “Certificate” should be used throughout the
>>>>                         ballot for consistency.
>>>>
>>>>                     Agreed. Thanks.
>>>>
>>>>                         Thanks,
>>>>
>>>>                         Corey
>>>>
>>>>                     Thanks,
>>>>
>>>>                     Ben
>>>>
>>>>                         *From:*Servercert-wg
>>>>                         <servercert-wg-bounces at cabforum.org> *On
>>>>                         Behalf Of *Ben Wilson via Servercert-wg
>>>>                         *Sent:* Tuesday, September 13, 2022 11:37 PM
>>>>                         *To:* Ben Wilson <bwilson at mozilla.com>;
>>>>                         CA/B Forum Server Certificate WG Public
>>>>                         Discussion List <servercert-wg at cabforum.org>
>>>>                         *Subject:* Re: [Servercert-wg] Proposal to
>>>>                         Incorporate Mozilla's CRL Revocation Reason
>>>>                         Code Requirements into the BRs
>>>>
>>>>                         Here is the most current comparison:
>>>>
>>>>                         https://github.com/cabforum/servercert/compare/bbca71465ed8a8a76383086039f52c750009286a..1699612e5157423f607d67cc8ab9dc3a1d52b318
>>>>                         <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2Fbbca71465ed8a8a76383086039f52c750009286a..1699612e5157423f607d67cc8ab9dc3a1d52b318&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6U2qShXXY%2FWlUn2vWCqq0YB8yQAQxEiQXejzc6pCawE%3D&reserved=0>
>>>>
>>>>                         Ben
>>>>
>>>>                         On Mon, Sep 12, 2022 at 11:00 AM Ben Wilson
>>>>                         <bwilson at mozilla.com> wrote:
>>>>
>>>>                             Here is another edit that tries to make
>>>>                             minimal changes to BR section 4.9.1.1.
>>>>
>>>>
>>>>                             <http://goog_144053405>
>>>>
>>>>                             https://github.com/BenWilson-Mozilla/servercert/commit/94a07d08855cf489a2bdddff7d8a9490969d5d06
>>>>                             <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fservercert%2Fcommit%2F94a07d08855cf489a2bdddff7d8a9490969d5d06&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=h0d4CsixQeyG7GMzM2nqO3ScDRRM1EomVg%2BuwI3lBIc%3D&reserved=0>
>>>>
>>>>                             Ben
>>>>
>>>>                             On Mon, Sep 12, 2022 at 9:51 AM Ben
>>>>                             Wilson via Servercert-wg
>>>>                             <servercert-wg at cabforum.org> wrote:
>>>>
>>>>                                 Thanks, Dimitris. I'll work on that
>>>>                                 approach and get something back to
>>>>                                 you soon.
>>>>
>>>>                                 Ben
>>>>
>>>>                                 On Mon, Sep 12, 2022 at 2:56 AM
>>>>                                 Dimitris Zacharopoulos (HARICA)
>>>>                                 <dzacharo at harica.gr> wrote:
>>>>
>>>>                                     Hi Ben,
>>>>
>>>>                                     After a quick reading, I
>>>>                                     noticed that the subsections
>>>>                                     are not symmetrical and a bit
>>>>                                     inconsistent. For example, some
>>>>                                     of them contain the statement
>>>>                                     "the CA SHOULD revoke a
>>>>                                     certificate within 24 hours and
>>>>                                     MUST revoke a Certificate
>>>>                                     within 5 days", some do not.
>>>>
>>>>                                     Other examples:
>>>>
>>>>                                       * 4.9.1.1.1, is labeled
>>>>                                         "Subscriber-Requested
>>>>                                         Revocation", however there
>>>>                                         are other subsections that
>>>>                                         are also
>>>>                                         "Subscriber-Requested".
>>>>                                         This separation seems
>>>>                                         confusing.
>>>>                                       * 4.9.1.1.4 is about
>>>>                                         unreliable validation but
>>>>                                         most of the remaining
>>>>                                         subsections are titled
>>>>                                         after the RFC 5280
>>>>                                         revocation reasons.
>>>>
>>>>                                     Finally, it's not very clear
>>>>                                     when the "unspecified (0)"
>>>>                                     reason must be used because of
>>>>                                     section 4.9.1.1.8 (Other
>>>>                                     Circumstances) which doesn't
>>>>                                     point to a revocation reason.
>>>>
>>>>                                     >From my perspective, I'm not
>>>>                                     sure if breaking down each
>>>>                                     subsection is more helpful for
>>>>                                     reading the revocation
>>>>                                     requirements than the current
>>>>                                     listing. I understand there is
>>>>                                     a desire to copy the MRSP
>>>>                                     language as much as possible
>>>>                                     but perhaps we need to consider
>>>>                                     a less "intrusive" set of
>>>>                                     changes to a section that CAs
>>>>                                     already have a difficult time
>>>>                                     reading and implementing.
>>>>
>>>>                                     IMO we either need to describe
>>>>                                     the revocation scenario and
>>>>                                     point to the RFC 5280
>>>>                                     revocation reason (closer to
>>>>                                     what the BRs have today), or
>>>>                                     start with the RFC 5280
>>>>                                     revocation reasons and
>>>>                                     enumerate the revocation
>>>>                                     scenarios (closer to what MRSP
>>>>                                     has today). I find it confusing
>>>>                                     to mix the two approaches.
>>>>
>>>>
>>>>                                     Thanks,
>>>>                                     Dimitris.
>>>>
>>>>                                     On 12/9/2022 6:32 π.μ., Ben
>>>>                                     Wilson wrote:
>>>>
>>>>                                         For review - here is
>>>>                                         another proposal that takes
>>>>                                         BR section 4.9.1.1 and puts
>>>>                                         the 24-hour and 5-day
>>>>                                         revocation times into
>>>>                                         subsections that match the
>>>>                                         CRL reason codes.
>>>>
>>>>                                         https://github.com/BenWilson-Mozilla/servercert/commit/b185a28fcc20d5853747e4506103823e3dc7c282
>>>>                                         <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fservercert%2Fcommit%2Fb185a28fcc20d5853747e4506103823e3dc7c282&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=opmFVkFFcOqc3DWpy%2BwP%2B79ihMxBOPnZE34AGDSKjWY%3D&reserved=0>
>>>>
>>>>                                         Ben
>>>>
>>>>                                         On Thu, Sep 8, 2022 at
>>>>                                         12:05 PM Dimitris
>>>>                                         Zacharopoulos (HARICA)
>>>>                                         <dzacharo at harica.gr> wrote:
>>>>
>>>>                                             Good point.
>>>>
>>>>                                             s//expected/shall use/
>>>>
>>>>                                             /
>>>>
>>>>                                             On 8/9/2022 8:26 μ.μ.,
>>>>                                             Tim Hollebeek wrote:
>>>>
>>>>                                                 I would prefer
>>>>                                                 standard 2119
>>>>                                                 language instead of
>>>>                                                 an “expectation”. 
>>>>                                                 There are no
>>>>                                                 documented rules
>>>>                                                 for what it means
>>>>                                                 for a CRLReason to
>>>>                                                 be expected to be a
>>>>                                                 certain value.
>>>>
>>>>                                                 -Tim
>>>>
>>>>                                                 *From:*Servercert-wg
>>>>                                                 <servercert-wg-bounces at cabforum.org>
>>>>                                                 <mailto:servercert-wg-bounces at cabforum.org>
>>>>                                                 *On Behalf Of
>>>>                                                 *Dimitris
>>>>                                                 Zacharopoulos
>>>>                                                 (HARICA) via
>>>>                                                 Servercert-wg
>>>>                                                 *Sent:* Thursday,
>>>>                                                 September 8, 2022
>>>>                                                 3:21 AM
>>>>                                                 *To:* Ben Wilson
>>>>                                                 <bwilson at mozilla.com>
>>>>                                                 <mailto:bwilson at mozilla.com>;
>>>>                                                 CA/B Forum Server
>>>>                                                 Certificate WG
>>>>                                                 Public Discussion
>>>>                                                 List
>>>>                                                 <servercert-wg at cabforum.org>
>>>>                                                 <mailto:servercert-wg at cabforum.org>
>>>>                                                 *Subject:* Re:
>>>>                                                 [Servercert-wg]
>>>>                                                 Proposal to
>>>>                                                 Incorporate
>>>>                                                 Mozilla's CRL
>>>>                                                 Revocation Reason
>>>>                                                 Code Requirements
>>>>                                                 into the BRs
>>>>
>>>>                                                 On 7/9/2022 8:22
>>>>                                                 μ.μ., Ben Wilson wrote:
>>>>
>>>>                                                     Good
>>>>                                                     suggestion. I
>>>>                                                     can re-work a
>>>>                                                     proposal that
>>>>                                                     re-writes BR
>>>>                                                     sec. 4.9.1.1 to
>>>>                                                     re-group the
>>>>                                                     revocation
>>>>                                                     reasons into
>>>>                                                     the reason
>>>>                                                     codes that
>>>>                                                     should be used.
>>>>                                                     Is that what
>>>>                                                     you were thinking?
>>>>
>>>>
>>>>                                                 Yes. We should also
>>>>                                                 try to keep the
>>>>                                                 current BRs
>>>>                                                 prioritization. The
>>>>                                                 section begins with
>>>>                                                 the cases where the
>>>>                                                 Certificate(s) need
>>>>                                                 to be revoked
>>>>                                                 within 24h and then
>>>>                                                 moves to the 5-day
>>>>                                                 revocation cases.
>>>>
>>>>                                                 We could walk this
>>>>                                                 list down making
>>>>                                                 sure that all
>>>>                                                 Mozilla cases are
>>>>                                                 listed (add the
>>>>                                                 ones that are not)
>>>>                                                 and add the
>>>>                                                 expected
>>>>                                                 revocationReason
>>>>                                                 for each case. For
>>>>                                                 example:
>>>>
>>>>                                                 /The CA SHALL
>>>>                                                 revoke a
>>>>                                                 Certificate within
>>>>                                                 24 hours if one or
>>>>                                                 more of the
>>>>                                                 following occurs:/
>>>>
>>>>                                                  1. /The Subscriber
>>>>                                                     requests in
>>>>                                                     writing that
>>>>                                                     the CA revoke
>>>>                                                     the Certificate
>>>>                                                     (expected
>>>>                                                     CRLReason:*unspecified*);/
>>>>                                                  2. /The Subscriber
>>>>                                                     notifies the CA
>>>>                                                     that the
>>>>                                                     original
>>>>                                                     certificate
>>>>                                                     request was not
>>>>                                                     authorized and
>>>>                                                     does not
>>>>                                                     retroactively
>>>>                                                     grant
>>>>                                                     authorization
>>>>                                                     (expected
>>>>                                                     CRLReason:/*/privilegeWithdrawn/*/);/
>>>>                                                  3. /The CA obtains
>>>>                                                     evidence that
>>>>                                                     the
>>>>                                                     Subscriber's
>>>>                                                     Private Key
>>>>                                                     corresponding
>>>>                                                     to the Public
>>>>                                                     Key in the
>>>>                                                     Certificate
>>>>                                                     suffered a Key
>>>>                                                     Compromise
>>>>                                                     (expected
>>>>                                                     CRLReason:*keyCompromise*);/
>>>>                                                  4. /The CA is made
>>>>                                                     aware of a
>>>>                                                     demonstrated or
>>>>                                                     proven method
>>>>                                                     that can easily
>>>>                                                     compute the
>>>>                                                     Subscriber's
>>>>                                                     Private Key
>>>>                                                     based on the
>>>>                                                     Public Key in
>>>>                                                     the Certificate
>>>>                                                     (such as a
>>>>                                                     Debian weak
>>>>                                                     key, see
>>>>                                                     //https://wiki.debian.org/SSLkeys/
>>>>                                                     <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FV7HivQUf9v8s2xTxi1rVgVbg7XfH9TtU4RjlKL0T6c%3D&reserved=0>/)
>>>>                                                     (expected
>>>>                                                     CRLReason:*keyCompromise*);/
>>>>                                                  5. /The CA obtains
>>>>                                                     evidence that
>>>>                                                     the validation
>>>>                                                     of domain
>>>>                                                     authorization
>>>>                                                     or control for
>>>>                                                     any
>>>>                                                     Fully-Qualified
>>>>                                                     Domain Name or
>>>>                                                     IP address in
>>>>                                                     the Certificate
>>>>                                                     should not be
>>>>                                                     relied upon
>>>>                                                     (expected
>>>>                                                     CRLReason:
>>>>                                                     /*/superseded/*/)./
>>>>
>>>>                                                 and so on.
>>>>
>>>>                                                 Does that work?
>>>>
>>>>                                                 Dimitris.
>>>>
>>>>                                                     Thanks,
>>>>
>>>>                                                     Ben
>>>>
>>>>                                                     On Wed, Sep 7,
>>>>                                                     2022 at 6:01 AM
>>>>                                                     Dimitris
>>>>                                                     Zacharopoulos
>>>>                                                     (HARICA) via
>>>>                                                     Servercert-wg
>>>>                                                     <servercert-wg at cabforum.org>
>>>>                                                     wrote:
>>>>
>>>>                                                         Hi Ben,
>>>>
>>>>                                                         I believe
>>>>                                                         the
>>>>                                                         proposal,
>>>>                                                         as written,
>>>>                                                         causes
>>>>                                                         confusion
>>>>                                                         in regards
>>>>                                                         to 4.9.1.1.
>>>>                                                         Some of the
>>>>                                                         reasons
>>>>                                                         described
>>>>                                                         in your
>>>>                                                         proposal
>>>>                                                         are already
>>>>                                                         mentioned
>>>>                                                         in 4.9.1.1.
>>>>                                                         Perhaps we
>>>>                                                         should work
>>>>                                                         some more
>>>>                                                         to "unify"
>>>>                                                         the two
>>>>                                                         sections.
>>>>
>>>>                                                         My proposal
>>>>                                                         would be to
>>>>                                                         update
>>>>                                                         4.9.1.1 and
>>>>                                                         include the
>>>>                                                         expected
>>>>                                                         CRLReason
>>>>                                                         after each
>>>>                                                         case.
>>>>
>>>>
>>>>                                                         Thoughts?
>>>>                                                         Dimitris.
>>>>
>>>>                                                         On 6/9/2022
>>>>                                                         8:13 μ.μ.,
>>>>                                                         Ben Wilson
>>>>                                                         via
>>>>                                                         Servercert-wg
>>>>                                                         wrote:
>>>>
>>>>                                                             All,
>>>>
>>>>                                                             I'm
>>>>                                                             looking
>>>>                                                             for one
>>>>                                                             more
>>>>                                                             endorser.
>>>>
>>>>                                                             Thanks,
>>>>
>>>>                                                             Ben
>>>>
>>>>                                                             On Fri,
>>>>                                                             Jul 29,
>>>>                                                             2022 at
>>>>                                                             12:40
>>>>                                                             PM Ben
>>>>                                                             Wilson
>>>>                                                             via
>>>>                                                             Servercert-wg
>>>>                                                             <servercert-wg at cabforum.org>
>>>>                                                             wrote:
>>>>
>>>>                                                                 All,
>>>>
>>>>                                                                 I
>>>>                                                                 have
>>>>                                                                 created
>>>>                                                                 a
>>>>                                                                 proposal
>>>>                                                                 in
>>>>                                                                 Github
>>>>                                                                 to
>>>>                                                                 incorporate
>>>>                                                                 Mozilla's
>>>>                                                                 CRL
>>>>                                                                 Revocation
>>>>                                                                 Reason
>>>>                                                                 Code
>>>>                                                                 requirements
>>>>                                                                 into
>>>>                                                                 the
>>>>                                                                 Baseline
>>>>                                                                 Requirements.
>>>>
>>>>
>>>>                                                                 See
>>>>                                                                 https://github.com/cabforum/servercert/issues/377
>>>>                                                                 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fissues%2F377&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=D4KPoI9FuCxKdr9yp378P8kEzjJq9wX%2FUEj%2F0SDufv4%3D&reserved=0>
>>>>
>>>>                                                                 https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5
>>>>                                                                 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fservercert%2Fcommit%2F52a480803beff1f96d61c4b6d76570ac7adff4d5&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LOfjUsptzgpQxI1k6K8oUgU0aj2LDncd48ZzuXe86Hs%3D&reserved=0>
>>>>
>>>>                                                                 I'm
>>>>                                                                 looking
>>>>                                                                 for
>>>>                                                                 comments,
>>>>                                                                 suggestions,
>>>>                                                                 and
>>>>                                                                 two
>>>>                                                                 endorsers.
>>>>
>>>>                                                                 Thanks,
>>>>
>>>>                                                                 Ben
>>>>
>>>>                                                                 _______________________________________________
>>>>                                                                 Servercert-wg
>>>>                                                                 mailing
>>>>                                                                 list
>>>>                                                                 Servercert-wg at cabforum.org
>>>>                                                                 https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>>>                                                                 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0>
>>>>
>>>>                                                             _______________________________________________
>>>>
>>>>                                                             Servercert-wg
>>>>                                                             mailing
>>>>                                                             list
>>>>
>>>>                                                             Servercert-wg at cabforum.org
>>>>
>>>>                                                             https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>>>                                                             <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0>
>>>>
>>>>                                                         _______________________________________________
>>>>                                                         Servercert-wg
>>>>                                                         mailing list
>>>>                                                         Servercert-wg at cabforum.org
>>>>                                                         https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>>>                                                         <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0>
>>>>
>>>>                                 _______________________________________________
>>>>                                 Servercert-wg mailing list
>>>>                                 Servercert-wg at cabforum.org
>>>>                                 https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>>>                                 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0>
>>>>
>>>>                     _______________________________________________
>>>>                     Servercert-wg mailing list
>>>>                     Servercert-wg at cabforum.org
>>>>                     https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>>>                     <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688965625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rOfjT8%2B0oEL1XaQtLBTQ5EQOkSK3lJR0AbU1lVyZF68%3D&reserved=0>
>>>>
>>>>                 _______________________________________________
>>>>                 Servercert-wg mailing list
>>>>                 Servercert-wg at cabforum.org
>>>>                 https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>>>
>>>>
>>>>             _______________________________________________
>>>>             Servercert-wg mailing list
>>>>             Servercert-wg at cabforum.org
>>>>             https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>>
>>>             _______________________________________________
>>>             Servercert-wg mailing list
>>>             Servercert-wg at cabforum.org
>>>             https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230105/654be93d/attachment-0001.html>


More information about the Servercert-wg mailing list