[Smcwg-public] [EXTERNAL]-Re: Use of the certificateHold CRLreason for leaf certificates
Pedro FUENTES
pfuentes at WISEKEY.COM
Fri Sep 2 15:12:34 UTC 2022
Yes, this was for example our focus when we defined the CP for SSL certificates… making it as a “derivative” of the BR, but leaving certain practical aspects about “how” the policy was implemented to be stipulated in the CPS.
In any case, they key word here is “consistency”. This is always mandatory, and therefore I don’t see neither a problem with the “and/or” wording.
On 2 Sep 2022, at 17:04, Ben Wilson <bwilson at mozilla.com<mailto:bwilson at mozilla.com>> wrote:
All,
A way to resolve this, potentially, is to treat the S/MIME Baseline Requirements as a Certificate Policy. I think we already do that somewhat with some of the language in the S/MIME BRs.
Ben
On Fri, Sep 2, 2022 at 8:50 AM Tim Hollebeek via Smcwg-public <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>> wrote:
I get what Russ is saying now.
What Russ has a problem with, and you and I don’t, is if a CA has both a CP and a CPS, but discusses suspension only in the CPS but not the CP. And I can see why he might have a problem with that, as the CPS is supposed to describe the practices that meet the policy in the CP, and if the suspension practices described in the CPS don’t map to any policy requirements in the CP, then what are they there for? And he kinda sorta has a point.
The reason I don’t have a problem with it after thinking for it a bit, is that the CP might discuss the policy by reference, and not explicitly, for example by stating something like “certificates issued under this CP comply with the requirements of the S/MIME BRs version 1.0”. And it would make perfect sense if the CPS then described the CAs suspension practices, to demonstrate how they comply with the requirements of those BRs. Whether one would say that the CP describes suspension in this case is subject to interpretation, but I’m guessing Russ would argue that it does (by preference).
The other reason I don’t have a problem with it is because in the event that you are doing something wrong here, you’re already violating various requirements about what should appear in CPs and CPSs, and trying to fix that in this particular requirement is a bit difficult.
I suppose we could write something like “in the CPS (and CP, if necessary)”. That, I think, matches the intent of the requirement, which was to make sure that everyone’s suspension practices is described in their CPS. And it also addresses Russ’s concern that being silent on this in your CP is also probably not something you want to do, if you have one.
-Tim
From: Smcwg-public <smcwg-public-bounces at cabforum.org<mailto:smcwg-public-bounces at cabforum.org>> On Behalf Of Pedro FUENTES via Smcwg-public
Sent: Friday, September 2, 2022 10:13 AM
To: Russ Housley <housley at vigilsec.com<mailto:housley at vigilsec.com>>
Cc: SMIME Certificate Working Group <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>>
Subject: Re: [Smcwg-public] [EXTERNAL]-Re: Use of the certificateHold CRLreason for leaf certificates
Russ:
Unless I missed some message Tim said that and/or means “that it can be in the CP and the CPS, or just the CP, or just the CPS”. This is the same I said.
Something to consider is that, eventually, the CP could state that the CA will stipulate the provisions around suspension in the CPS.
So all depends how the documents are written, but the key point here is that, for any kind of stipulation, CP and CPS must be consistent.
Best,
Pedro
On 2 Sep 2022, at 15:58, Russ Housley <housley at vigilsec.com<mailto:housley at vigilsec.com>> wrote:
Pedro:
Please see the analysis by Tim. As I said, I am not content with is only appearing in a CPS. If it appears in a document that serves as both a CP and a CPS, that is acceptable to me.
Russ
On Sep 2, 2022, at 1:40 AM, Pedro FUENTES <pfuentes at WISEKEY.COM<mailto:pfuentes at WISEKEY.COM>> wrote:
Hi Russ,
The traditional interpretation of and/or is actually “or”, from a logical perspective.
Anyway, if I’m wrong I’m happy to be corrected.
BR/P
Le 1 sept. 2022 à 22:10, Russ Housley <housley at vigilsec.com<mailto:housley at vigilsec.com>> a écrit :
Pedro:
Which means that it could be only be in the CPS and not in the CP. I could live with "and". I think "and/or" is what causes the problem.
Russ
On Sep 1, 2022, at 3:50 PM, Pedro FUENTES <pfuentes at WISEKEY.COM<mailto:pfuentes at WISEKEY.COM>> wrote:
Well.. I could be wrong as I’m using my mobile, but I thought I saw in GitHub “CP and/or CPS”
Le 1 sept. 2022 à 21:24, Russ Housley <housley at vigilsec.com<mailto:housley at vigilsec.com>> a écrit :
Pedro:
In my view, the current wording would allow a CA to only discuss suspension in the CPS, even if that CA has both a CP and a CPS. That seems wrong to me.
Russ
On Sep 1, 2022, at 3:13 PM, Pedro FUENTES <pfuentes at WISEKEY.COM<mailto:pfuentes at WISEKEY.COM>> wrote:
Although we do, not all CAs have separate CP and CPS. The wording must be flexible.
Le 1 sept. 2022 à 21:07, Russ Housley via Smcwg-public <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>> a écrit :
Stephen:
I would strongly prefer that any use of suspension be described in the CP (not the CPS).
Russ
On Sep 1, 2022, at 11:54 AM, Stephen Davidson via Smcwg-public <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>> wrote:
Hello:
Following active discussion relating to suspension for leaf certificates by the WG, it was agreed to document the use of suspension for the Legacy and Multipurpose certificate generations.
There were arguments regarding the appropriateness of certificateHold in the context of S/MIME, and its effectiveness in the face of limited client support.
However, suspension is permitted by some other standards and regulations, and is used by CAs for S/MIME-capable certificates in some regions.
It is likely that future ballots may further amend these Requirements relating to suspension.
A draft of the changes may be found at https://github.com/cabforum/smime/commit/347eb1b93e1ac5b2ceb13692ce958b6ebd5af5ff<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_smime_commit_347eb1b93e1ac5b2ceb13692ce958b6ebd5af5ff&d=DwMFAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=tqhseCjhGy1A7E44VMn6WzaiveyVhTw1OH3Hqh75XMA&s=QA7hqsdMpnHwMPA2pcup2gL9nERRGC0S4brZ42fCVuY&e=>
Regards, Stephen
_______________________________________________
Smcwg-public mailing list
Smcwg-public at cabforum.org<mailto:Smcwg-public at cabforum.org>
https://lists.cabforum.org/mailman/listinfo/smcwg-public<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwMFAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=tqhseCjhGy1A7E44VMn6WzaiveyVhTw1OH3Hqh75XMA&s=DMu9IJhPx628INsjWMRc2MyGOOA7IeBKkXH3Zai7648&e=>
_______________________________________________
Smcwg-public mailing list
Smcwg-public at cabforum.org<mailto:Smcwg-public at cabforum.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=tqhseCjhGy1A7E44VMn6WzaiveyVhTw1OH3Hqh75XMA&s=DMu9IJhPx628INsjWMRc2MyGOOA7IeBKkXH3Zai7648&e=
<signature.asc>
WISeKey SA
Pedro Fuentes
CSO - Trust Services Manager
Office: + 41 (0) 22 594 30 00
Mobile: + 41 (0) 791 274 790
Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland
Stay connected with WISeKey<http://www.wisekey.com/>
THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks
CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender
DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.
_______________________________________________
Smcwg-public mailing list
Smcwg-public at cabforum.org<mailto:Smcwg-public at cabforum.org>
https://lists.cabforum.org/mailman/listinfo/smcwg-public<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=AFTYu1HAQdkStwzgxyDbKOLyDwTHEezL5yeqoxeZ0fc&m=BzYd5x40V9onGX-tTPXdWWlxGxD56CIu0WCh46J7JsQ&s=aBaeXML9DOPW3IaSQFowgynARI3eJT4BQdxVtmgCjFg&e=>
WISeKey SA
Pedro Fuentes
CSO - Trust Services Manager
Office: + 41 (0) 22 594 30 00
Mobile: + 41 (0) 791 274 790
Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland
Stay connected with WISeKey<http://www.wisekey.com>
THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks
CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender
DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220902/126bf803/attachment-0001.html>
More information about the Smcwg-public
mailing list