[cabf_validation] CRL Validity Interval Ballot

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Wed Oct 13 07:07:58 UTC 2021 

Thank you for the attempt to clarify the nextUpdate values for CRLs to 
match the language from section 4.9.10 regarding the OCSP response validity.

After some review, and since it appears there is consensus to move to 
the "1 sec" accuracy in various fields, HARICA believe we should also 
define that 1 month is equal to 30 days. We already have language to 
specify that 1 day is equal to 86400 seconds but some interpret 12 
months to be 365 days, others consider 360 days as being more accurate, etc.

It would be even better to specify the /nextUpdate /for subCAs in /days/ 
instead of /months/. There are only 4 areas where a requirement is 
specified in months:

  * Section 4.9.7 (as already mentioned)
  * Section 4.9.10 (as already mentioned)
  * Section 8.1 Frequency or circumstances of assessment: /"//The
    point-in-time readiness assessment SHALL be completed no earlier
    than twelve (12) months prior to issuing Publicly-Trusted
    Certificates and..."/
  * Section 8.6 Communication of results: "/The CA MUST make its Audit
    Report publicly available no later than three months after the end
    of the audit period. In the event of a delay greater than three
    months, the CA SHALL provide an explanatory letter signed by the
    Qualified Auditor."/

Thus, if we converted these to days, we would not need to define that a 
month is equal to 30 days.

We also noted that there are already *two places* where we "define" the 
duration of a day:

  * Section 4.9.10: /"//For purposes of computing differences, a
    difference of 3,600 seconds shall be equal to one hour, and a
    difference of 86,400 seconds shall be equal to one day, ignoring
    leap-seconds."/
  * Section 6.3.2: /"For the purpose of calculations, a day is measured
    as 86,400 seconds. Any amount of time greater than this, including
    fractional seconds and/or leap seconds, shall represent an
    additional day. For this reason, Subscriber Certificates SHOULD NOT
    be issued for the maximum permissible time by default, in order to
    account for such adjustments."/
    //

Instead of creating another instance of the same definition in 4.9.7, it 
might be better to use the already defined term "Validity Period" and 
add the following sentence /"For purposes of computing differences, a 
difference of 3,600 seconds shall be equal to one hour, and a difference 
of 86,400 seconds shall be equal to one day, ignoring leap-seconds."/

It would be even clearer if in 4.9.7 and 4.9.10 we added a statement 
about the value of the nextUpdate field as being "i.e. /nextUpdate ≤ 
thisUpdate + 365 * 86400s/" for the subCAs and "i.e. /nextUpdate ≤ 
thisUpdate + 10 * 86400s/" for Subscriber Certificates.

Thoughts?


Dimitris.

On 7/10/2021 8:34 μ.μ., Wayne Thayer via Validation wrote:
> Here is a draft of the ballot that we discussed on today's call to 
> clarify the maximum permitted validity interval of a CRL in the BRs. 
> I've gone ahead and reserved a ballot number and inserted Tim as the 
> proposer and Trev and Kati as endorsers.
> *
> *
> *BALLOT SC52: Specify Validity Interval of CRLs*
>
>
>     PURPOSE OF BALLOT
>
> Ballot SC31 included a clarification of the maximum allowed validity 
> interval for OCSP responses in section 4.9.10 of the Baseline 
> Requirements. A similar ambiguity has been identified in section 4.9.7 
> for the validity interval of CRLs. This ballot better specifies the 
> maximum validity interval for CRLs issues after 1-Feb-2022 by applying 
> the language from section 4.9.10 to CRLs.
>
> The following motion has been proposed by Tim Hollebeek of DigiCert 
> and endorsed by Trevoli Ponds-White of Amazon and Kati Davids of GoDaddy.
>
>
>     MOTION BEGINS
>
> This ballot modifies the “Baseline Requirements for the Issuance and 
> Management of Publicly-Trusted Certificates” (“Baseline 
> Requirements”), based on Version 1.8.0:
> MODIFY the Baseline Requirements as specified in the following Redline:
> https://github.com/cabforum/servercert/compare/main...wthayer:ballot-SC52 
> <https://github.com/cabforum/servercert/compare/main...wthayer:ballot-SC52> 
> (NOTE: THIS LINK NEEDS TO BE UPDATED TO REFERENCE SPECIFIC COMMITS IN 
> THE FINAL BALLOT)
>
>
>     MOTION ENDS
>
> This ballot proposes a Final Maintenance Guideline. The procedure for 
> approval of this ballot is as follows:
>
>
>       Discussion (7+ days)
>
> Start Time: TBD
> End Time: TBD
>
>
>       Vote for approval (7 days)
>
> Start Time: TBD
> End Time: TBD
>
>
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/validation

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20211013/b00fcdf9/attachment.html>

More information about the Validation mailing list