On Mon, Apr 3, 2017 at 9:17 PM, Chris Bailey < [email protected]> wrote:
> I checked with my legal team on this issue. The retroactive amendment of > an earlier action by a later action is very common under the legal doctrine > “nunc pro tunc” – no, I can’t speak Latin either, but it means “now for > then”. Retroactivity will be effective here not because of anything > specific on retroactivity in our Bylaws, but from the fact that the second > ballot we approve (Ballot 194) will by its terms completely override the > conflicting parts of the earlier ballot we approved (Ballot 193) as of the > effective date of the earlier ballot. Because Ballot 194 says it is > retroactive to the effective date of Ballot 193, that provision will fully > apply once adopted by the Forum as a ballot following its Bylaws. > That's great that you checked Chris, and I don't mean to be to overly dismissive, but that's not how the CA/Browser Forum Baseline Requirements are written, nor how it's operated. It's a technical specification, and one every CA is obligated to state compliance to the latest published version (which has undergone both voting and IP review). You will be violating your CP/CPS if you attempt this retroactive correction, and should receive a qualified audit because of it, independent of Ballot 194, because of this. > The good news is, members will know whether or not Ballot 194 has passed > before Ballot 193 becomes effective, so there will not be any gap period. > This is not true. There is still the IPR review. > Ballot 193 will become effective on April 22, assuming no Exclusion > Notices are filed by then. Ballot 194 will already have been passed by the > members on April 16 (six days earlier), assuming it passes, so members will > know that its retroactivity provisions were approved and will likely take > effect as of about May 16, assuming no Exclusion Notices are filed for > Ballot 194 during its Review Period. > This is misstating the agreed upon process for ballots. Until it's completed the IP Review, it's not adopted. > Because both Ballots 193 and 194 cover the same BR section - BR 4.2.1 - > if there are no Exclusion Notices filed for Ballot 193, there probably > won’t be any Exclusion Notices filed for Ballot 194 either. > That's not something the Forum members can or should be stating. > As noted before, the proposer and endorsers for Ballot 193 meant for all > changes to be effective at the same time, March 1, 2018. As to the reuse > of validation data, clarifying that the effective date is March 1, 2018 and > not April 22, 2017 makes sense for two main reasons: > > > > (1) CA validation systems have complex rules in their code that track the > collection date of validation data (sometimes on a document-by-document > basis), and the code includes internal clocks that tell the CA when a piece > of validation data must be revalidated. CAs will need to change that code > so revalidation of data is required after 825 days instead of 39 months – > this is a significant project that must be done correctly, and developers > are already pretty busy with other major changes like CT logging for all > certificates and CAA implementation. > This suggests that CAs are poorly designing their software and/or poorly staffing engineering. I suspect both. > > (2) In addition, telling CA vetting teams that as of April 22 they can no > longer use properly-collected OV and DV certificate validation data that is > more than 825 days old (but still within the previous 39 month limit for > reuse) will force a massive amount of data revalidation all at once – > potentially a 50% workload increase for OV and DV certs starting all on a > single day. This is an undesirable outcome that was never intended by the > ballot authors. Instead, it’s better for both the shorter certificate > validity period and the shorter validation data reuse period to take effect > at the same time – March 1, 2018 – so that CAs can plan ahead. > I'm sorry, but it has yet to be demonstrated how this can be true. Nothing requires all of this information be revalidated on a single day. On April 22, when it comes into effect, you only need to revalidate new certificates. This is no different than if you were to acquire a new customer on April 22. There is nothing in Ballot 193 that requires a full re-validation as you've described. > Ballots 193/194 represent a meaningful advance for user security by > reducing certificate validity and data reuse periods from 39 months to 825 > days. Let’s chalk up that “win” and move on to the other issues we’re > discussing for further security advances. > As proposed, it's a negative for security. Let's focus on making real improvement.
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
