[cabf_validation] [EXTERNAL]Concerns regarding Ballot 218

Bruce Morton Bruce.Morton at entrustdatacard.com
Thu Jan 18 06:49:10 MST 2018 

Forwarded on behalf of Jürgen.

Bruce.

-----Original Message-----
From: Jürgen Brauckmann [mailto:brauckmann at dfn-cert.de] 
Sent: January 18, 2018 4:43 AM
To: Curt Spann <cspann at apple.com>; Bruce Morton <Bruce.Morton at entrustdatacard.com>
Cc: Dimitris Zacharopoulos <jimmy at it.auth.gr>; Gervase Markham <gerv at mozilla.org>; md at ssc.lt; geoffk at apple.com; Mike.Reilly at microsoft.com; Kim.Nguyen at bdr.de; Arno.Fiedler at bdr.de; Kirk Hall <Kirk.Hall at entrustdatacard.com>; Ralf Groeper <groeper at dfn.de>; Reimer Karlsen-Masur, DFN-CERT <karlsen-masur at dfn-cert.de>
Subject: Re: [EXTERNAL]Concerns regarding Ballot 218

Yes, you can forward this mail to the validation working group.

Regarding the time period: Obviously no one from the original proposers took into account that there may be CAs which use only 3.2.2.4.1 and 3.2.2.4.5.

So, the time period must cover the necessary effort to implement new processes and supporting systems for other validation methods.

This includes all the lenghty stuff that a responsible, BR-compliant organization is supposed to do like external pen testing if it turns out that the changes are significant.

Additionally, the proposed ballot forces a complete revalidation workload not only on the affected CAs, but also on the customers. So, the timeframe must take into account that there (again) will be a peek of revalidation activity, which will not be magically done overnight.

I don't know how fast other organizations can do such changes, but for us 6 months sound like a reasonable period.

Thanks,
    Jürgen

Am 17.01.2018 um 19:19 schrieb Curt Spann:
> I think this should be discussed with the broader group either in the validation working group or CAB Forum public list.
> 
> Since you feel March 01, 2018 is too short of a time period, what time period do you feel is reasonable and would not constitute an emergency on your part?
> 
> Cheers,
> Curt
> 
>> On Jan 17, 2018, at 7:35 AM, Bruce Morton <Bruce.Morton at entrustdatacard.com> wrote:
>>
>> Hi Jürgen,
>>
>> I agree with your position. The timeframe is too short and the proposed ballot does feel anti-competitive.
>>
>> Do you mind if I forward your email to the Validation Working Group?
>>
>> Thanks, Bruce.
>>
>> -----Original Message-----
>> From: Jürgen Brauckmann [mailto:brauckmann at dfn-cert.de]
>> Sent: January 17, 2018 10:23 AM
>> To: Dimitris Zacharopoulos <jimmy at it.auth.gr>; Bruce Morton 
>> <Bruce.Morton at entrustdatacard.com>; Gervase Markham 
>> <gerv at mozilla.org>; md at ssc.lt; geoffk at apple.com; 
>> Mike.Reilly at microsoft.com; Kim.Nguyen at bdr.de; Arno.Fiedler at bdr.de; 
>> cspann at apple.com
>> Cc: Ralf Groeper <groeper at dfn.de>; Reimer Karlsen-Masur, DFN-CERT 
>> <karlsen-masur at dfn-cert.de>
>> Subject: [EXTERNAL]Concerns regarding Ballot 218
>>
>> Hello,
>>
>> we are operating the PKI services for the German Research Network; our non-commercial PKI chains up to Deutsche Telekom Root CA 2 and T-Telesec GlobalRoot Class 2, and is in heavy use by all academic and research institutions in Germany.
>>
>> We have been following the discussion on ballot 218 in the CA/Browser Forum the last days and are worried about the intended time frame.
>>
>> While we do understand and support the fundamental arguments concerning the validation methods in question, we are from our point of view not in a situation where "emergency fixes" are necessary. We thus think that the intended effective date for this ballot (March 01 2018) has to be moved to a later date, e.g. by six months.
>>
>> The proposed short-term invalidation of broadly used validation methods not only forces CAs to implement new methods on very short notice but also invalidates all existing validations that were already conducted and are still (within 825 days) valid. Implementing new validation methods in a hurry also increases the risk that the new processes are not tested well enough before being used.
>>
>> We strongly feel that with this short timeframe, CAs that already now rely on the then remaining validation methods would have an unfair competitive advantage. Other CAs that cannot change all their validation methods in time and/or re-validate all validations using new methods will be in serious trouble, as will be their customers/users that have to change their own internal PKI processes on short notice.
>>
>> Additionally, this would pose a precedent for the future with all changes in BR being implemented with unnecessary short lead times for the advantage of some and the disadvantage of others.
>>
>> We think that your CAs/Users are also at least affected partially by this and we hope that ballot 218 will not pass in this form or, alternatively, a more reasonable ballot will be presented in CA/B-Forum.
>>
>> Best regards,
>>     Jürgen
>>
>> --
>> Dipl. Inform. Jürgen Brauckmann (PKI Team), Phone +49 40 808077-627
>>
>> https://blog.pki.dfn.de
>>
>> DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 
>> 808077-580 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, 
>> Ust-IdNr.: DE 232129737 Sachsenstraße 5, 20097 Hamburg/Germany, CEO: 
>> Dr. Klaus-Peter Kossakowski
> 

--
Dipl. Inform. Jürgen Brauckmann (PKI Team), Phone +49 40 808077-627

https://blog.pki.dfn.de

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-580 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstraße 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

More information about the Validation mailing list