On Wed, Mar 1, 2017 at 4:50 PM, Ryan Sleevi <[email protected]> wrote:
> It's unclear whether you disagree with the substance of my analysis, and > are thus stating it was intentional to weaken the Baseline Requirements, or > if you're simply providing clarification for the intent, for which the > weakening of the Baseline Requirements was unintentional? > > If this was unintentional, we can work to resolve this in a way that > achieves the intended resolve. However, if this was intentional, we will > continue to disagree, and thus will find it necessary to vote against this > ballot. I can only hope that, like Ballot 188, this was merely an > unintentional side-effect, and hopefully one we can resolve through > collaboration. > It was pointed out that my description of the issues may not have been clear for some members, so I'll try to restate the various ways in which this proposal, whether intentional or not, weakens the current security guarantees provided by the Baseline Requirements. In the effort of providing greater clarity, I have created several new threads to help inform this discussion. Proposed for Section 4.2.1 "A CA may rely on a previously verified certificate request to issue a replacement certificate, so long as the certificate being referenced was not revoked due to fraud or other illegal conduct, if: (1) The expiration date of the replacement certificate is the same as the expiration date of the Certificate that is being replaced, and (2) The Subject Information of the Certificate is the same as the Subject in the Certificate that is being replaced." Problem Summary: This introduces an additional implied requirement for revocation not present within the Baseline Requirements, and for which several Browser members have highlighted clear disagreement with CAs. Explanation: The problem introduced here is with respect to "was not revoked due to fraud or other illegal content". The introduction of "Fraud" creates an ambiguity regarding what is required in the Baseline Requirements. The extent of obligations imposed by Section 4.9.1.1 does not include fraud as a general category, but instead limits it to a "fraudulently misleading subordinate Fully-Qualified Domain Name" in Item 7. Similarly, "illegal conduct" creates an ambiguity as to what is required, pursuant to Item 6, which through illustrative example makes a distinction between "illegal conduct" and "no longer legally permitted". Conclusion: This represents an agenda item for which CAs and several browsers have long disagreed. As a consequence, this detracts from the substantive, though incomplete, improvements being proposed regarding certificate lifetime. Suggestion: Remove "due to fraud or other illegal conduct"
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
