[cabf_validation] Draft Minutes of Today's Meeting 2021-10-07

Thu Oct 7 20:00:06 UTC 2021

*Draft Minutes *- Please provide any comments, additions, or corrections.

*Validation Subcommittee of the Server Certificate Working Group*

*7-October-2021*

*Attendees:*  Ben Wilson, Bruce Morton, Amanda Mendieta, Aneta Wojtczak,
Tim Hollebeek, Clint Wilson, Corey Bonnell, Janet Hines, Johnny Reading,
Julie Olson, Kati Davids, Michelle Coon, Niko Carpenter, Paul Van
Brouwershaven, Rebecca Kelley, Ryan Sleevi, Shelley Brewer, Stephen
Davidson, Wayne Thayer, Tobias Josefowitz, Trev Ponds-White, Tyler Myers

*Antitrust Statement* read by Tim

*Agenda topics*:  Validity Intervals for CRLs and Agenda for F2F Meeting

*Validity Intervals for CRLs *

Wayne noted that this topic originates from incident reports filed over the
past few weeks caused by some ambiguity in the requirements for CRL
lifetimes (the allowed time between thisUpdate and nextUpdate). This issue
affects both Root-issued CRLs and end-entity CRLs. Relevant sections of the
Baseline Requirements are sections 4.9.7 and 4.9.10. (Section 4.9.10
defines time periods in seconds.) Section 4.9.7 says, “[For subscriber
certificates] the value of the nextUpdate field MUST NOT be more than ten
days beyond the value of the thisUpdate field” and  “For the status of
Subordinate CA Certificates:  The CA SHALL update and reissue CRLs at least:
i. once every twelve months; …  The value of the nextUpdate field MUST NOT
be more than twelve months beyond the value of the thisUpdate field.” He
proposed that the SCWG amend BR section 4.9.7 to take language from section
4.9.10.

Tim, Corey and Ryan were in agreement that the language needs to be cleaned
up.

Ryan suggested that the language should be in Section 7 for the CRL and
OCSP Profiles.

Bruce asked what CAs should do between now and the effective date of the
to-be-proposed ballot and whether they should file incident reports.

Corey said that CAs should not run right up to the maximum-allowed
timeframes, but BR section 4.9.7 does not currently mention the inclusive
set. The language only addresses the simple difference between the two
fields. So, it is not a clear violation of the BRs to issue a CRL with a
validity period that has an extra second. Ryan said that the issue is
whether we’re talking about the value or the period. Section 4.9.7 is
talking about the value, and the inclusiveness or exclusiveness of the
nextUpdate is not addressed.

Ryan said that there is benefit to raising awareness of the issue among
members of the CA community with the filing of incident reports that are
resolved as “WONTFIX” – not an issue. It is helpful for CAs to disclose
what they’re doing, e.g., not running right up to maximum allowed periods.
Also of value is how clear CAs will state timeframes in their CPs and
CPSes. There is a benefit to transparency. Still, these incidents could be
closed as non-issues.

Wayne noted that when a ballot to clarify this issue is adopted, CAs with
Root CRLs in this state should not be required to re-issue them on an
accelerated timeline. We should have ballot language that says, “For CRLs
signed after such-and-such date.”

Paul noted that CAs should not be required to re-create 1-year CRLs because
of a 1-second difference when there is no associated security issue.

Based on relative consensus, several people volunteered to work on and/or
endorse a ballot.

*Agenda for F2F Meeting*

Tim noted that we have an hour assigned for discussion during the
face-to-face meeting next week. He will review the GitHub comments related
to Pull Request #36 (https://github.com/sleevi/cabforum-docs/pull/36) and
create a high-level summary of the main discussion points and accompanying
slides.

Aneta asked about how “effective dates” would be handled in the ballot.  There
was debate between Ryan and Tim on whether the ballot would have one
all-encompassing effective date along with specific effective dates. Ryan
argued that a default effective date for the whole ballot would lead to
confusion, non-compliance, and added risks. As a counterargument, Tim
argued that a variety of effective dates might be difficult for CAs to
track. Tim offered to work on a proposal with Aneta and others. Ryan said
that it would not be an easy fix. It was eventually suggested that it was
premature to decide the issue and that the issue would not be discussed at
the face-to-face meeting due to the short time allowed. In summary, it was
recommended that people review Pull Request #36 and identify/flag any new
substantive/normative provisions that might require different effective
dates.

Meeting adjourned.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20211007/59dfd5ba/attachment.html>