[Servercert-wg] [EXTERNAL] Discussion Period Begins: Ballot SC-061: New CRL Entries must have a Revocation Reason Code

Ben Wilson bwilson at mozilla.com
Wed Jan 18 22:46:16 UTC 2023


Hi Bruce,
I'll move a lot of the text into section 7.2.2 as you suggest and keep the
references in section 4.9.1.1 to the reason codes to use (e.g. .  Then I'll
point people from section 4.9.1.1 to section 7.2.2. For instance, #2. under
section 4.9.1.1 would still read "The Subscriber notifies the CA that the
original certificate request was not authorized and does not retroactively
grant authorization (CRLReason #9, privilegeWithdrawn)," but the extra text
would be moved to section 7.2.2.  Does that make sense?
Thanks,
Ben

On Wed, Jan 18, 2023 at 2:41 PM Bruce Morton <Bruce.Morton at entrust.com>
wrote:

> Hi Ben,
>
>
>
> The reference should work as it will tie the CRL extension section to the
> revocation reason section; however, it would still seem odd that one
> section prohibits 2 reason codes and another section approves reason codes.
> It would seem to be better form to state all the CRL extension requirements
> in the CRL extension section.
>
>
>
> Bruce.
>
>
>
> *From:* Ben Wilson <bwilson at mozilla.com>
> *Sent:* Tuesday, January 17, 2023 3:48 PM
> *To:* Bruce Morton <Bruce.Morton at entrust.com>
> *Cc:* CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg at cabforum.org>
> *Subject:* Re: [EXTERNAL] [Servercert-wg] Discussion Period Begins:
> Ballot SC-061: New CRL Entries must have a Revocation Reason Code
>
>
>
> Hi Bruce,
>
>
>
> What if this line from section 7.2.2 were modified " If a `reasonCode`
> CRL entry extension is present, the `CRLReason` MUST indicate the most
> appropriate reason for revocation of the certificate, as defined by the CA
> within its CP/CPS."?
>
>
>
> It could say, "*For Subscriber Certificates, *if a `reasonCode` CRL entry
> extension is present, the `CRLReason` MUST indicate the most appropriate
> reason for revocation of the certificate, as *set forth in section
> 4.9.1.1* defined by the CA within its CP/CPS."?
>
>
>
> Ben
>
>
>
> On Mon, Jan 16, 2023 at 9:16 AM Bruce Morton <Bruce.Morton at entrust.com>
> wrote:
>
> Hi Ben,
>
>
>
> I think it would be best if the text regarding “Only the following
> CRLReasons MAY be present in the CRL `reasonCode` extension” be in section
> “7.2.2 CRL and CRL entry extensions”. This is the section which I would
> check and already discusses reasonCodes and prohibits reasons 0 and 6.
>
>
>
>
>
> Thanks, Bruce.
>
>
>
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> *On Behalf Of *Ben
> Wilson via Servercert-wg
> *Sent:* Friday, January 13, 2023 12:02 PM
> *To:* CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg at cabforum.org>
> *Subject:* [EXTERNAL] [Servercert-wg] Discussion Period Begins: Ballot
> SC-061: New CRL Entries must have a Revocation Reason Code
>
>
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know the
> content is safe.
> ------------------------------
>
> Resending:
>
>
>
> *Purpose of Ballot SC-061*
>
> The purpose of this ballot is to modify section 4.9.1.1 of the Baseline
> Requirements to incorporate the CRL reason codes that Mozilla has adopted
> in section 6.1.1. of its root store policy.
>
>
>
> *Motion*
>
> The following motion has been proposed by Ben Wilson of Mozilla and
> endorsed by David Kluge of Google Trust Services and Kiran Tummala of
> Microsoft.
>
> *—–Motion Begins—–*
>
> This ballot modifies section 4.9.1.1 of the “Baseline Requirements for the
> Issuance and Management of Publicly-Trusted Certificates” as defined in the
> following redline, based on Version 1.8.6:
>
>
> https://github.com/cabforum/servercert/compare/2c63814fa7f9f7c477c74a6bfbeb57e0fcc5dd5b..3b034ede43a5bfd34baac80cfeb87ebe6db20be1
> <https://urldefense.com/v3/__https:/github.com/cabforum/servercert/compare/2c63814fa7f9f7c477c74a6bfbeb57e0fcc5dd5b..3b034ede43a5bfd34baac80cfeb87ebe6db20be1__;!!FJ-Y8qCqXTj2!fGdvJtoNqEzSMTpSy3evCo7PWF0P0D-SZhFyqhk55IdbBsh92ZCFdV6kU0552Hp7bgGWJij8JKOERQcha4dflcRoAWhnGQ$>
>
>
>
>  *—–Motion Ends—–*
>
>
>
> This ballot proposes a Final Maintenance Guideline. The procedure for
> approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time:  January 13, 2023 17:00 UTC
>
> End Time: January 20, 2023 17:00 UTC
>
>
>
> Vote for approval (7 days)
>
> Start Time:  January 20, 2023 17:00 UTC
>
> End Time: January 27, 2023 17:00 UTC
>
>
>
>
>
> *Any email and files/attachments transmitted with it are confidential and
> are intended solely for the use of the individual or entity to whom they
> are addressed. If this message has been sent to you in error, you must not
> copy, distribute or disclose of the information it contains. Please notify
> Entrust immediately and delete the message from your system.*
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230118/1f34350e/attachment.html>


More information about the Servercert-wg mailing list