Send Public mailing list submissions to
public@cabforum.org
To subscribe or unsubscribe via the World Wide Web, visit
https://cabforum.org/mailman/listinfo/public
or, via email, send a message with subject or body 'help' to
public-requ...@cabforum.org
You can reach the person managing the list at
public-ow...@cabforum.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Public digest..."
Today's Topics:
1. Re: Ballot 212: Canonicalise formal name of the Baseline
Requirements (Curt Spann)
2. Re: **Voting has started on Ballot 212: Canonicalise formal
name of the Baseline Requirements** (Gervase Markham)
3. Re: Revocation ballot v2 (Jeremy Rowley)
----------------------------------------------------------------------
Message: 1
Date: Wed, 30 Aug 2017 14:08:41 -0700
From: Curt Spann <csp...@apple.com>
To: CA/Browser Forum Public Discussion List <public@cabforum.org>
Subject: Re: [cabfpub] Ballot 212: Canonicalise formal name of the
Baseline Requirements
Message-ID: <96703ae1-a45b-477f-9a06-615cbe4ff...@apple.com>
Content-Type: text/plain; charset="us-ascii"
Apple votes Yes.
Curt
On Aug 18, 2017, at 8:06 AM, Gervase Markham via Public <public@cabforum.org>
wrote:
Ballot 212: Canonicalise formal name of the Baseline Requirements
Purpose of Ballot: to make the formal name of the Baseline Requirements
document clear, as use is not currently consistent.
The following motion has been proposed by Gervase Markham of Mozilla and
endorsed by Jeremy Rowley of DigiCert and Ryan Sleevi of Google:
-- MOTION BEGINS --
The official name of the Baseline Requirements document shall be 'The Baseline Requirements for the
Issuance and Management of Publicly-Trusted Certificates'. Approved abbreviations for official use
are "the Baseline Requirements", and "the BRs".
Editors and maintainers of CAB Forum documents and websites are empowered to
update text under their control at any time to make this so.
-- MOTION ENDS --
The procedure for approval of this ballot is as follows:
Start time (22:00 UTC)
End time (22:00 UTC)
Discussion (7 to 14 days)
18 Aug
25 Aug
Vote for approval (7 days)
25 Aug
1 Sep
Votes must be cast by posting an on-list reply to this thread on the Public list. A
vote in favor of the motion must indicate a clear 'yes' in the response. A vote
against must indicate a clear 'no' in the response. A vote to abstain must
indicate a clear 'abstain' in the response. Unclear responses will not be counted.
The latest vote received from any representative of a voting member before the close
of the voting period will be counted. Voting members are listed here:
https://cabforum.org/members/ <https://cabforum.org/members/>In order for the
motion to be adopted, two thirds or more of the votes cast by members in the CA
category and greater than 50% of the votes cast by members in the browser category
must be in favor. Quorum is shown on CA/Browser Forum wiki. Under Bylaw 2.2(g), at
least the required quorum number must participate in the ballot for the ballot to be
valid, either by voting in favor, voting against, or abstaining.
_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://cabforum.org/pipermail/public/attachments/20170830/be92842b/attachment-0001.html>
------------------------------
Message: 2
Date: Wed, 30 Aug 2017 22:10:49 +0100
From: Gervase Markham <g...@mozilla.org>
To: Kirk Hall <kirk.h...@entrustdatacard.com>, CA/Browser Forum Public
Discussion List <public@cabforum.org>
Subject: Re: [cabfpub] **Voting has started on Ballot 212:
Canonicalise formal name of the Baseline Requirements**
Message-ID: <8d1180a3-beaf-5982-6136-99e36468b...@mozilla.org>
Content-Type: text/plain; charset=utf-8
On 30/08/17 15:52, Kirk Hall via Public wrote:
Sorry ? voting began August 25 on this ballot, and will end on *Friday,
Sept. 1*at 22:00 UTC.? If you intend to vote, do it now!
Mozilla votes YES.
Gerv
------------------------------
Message: 3
Date: Wed, 30 Aug 2017 21:41:35 +0000
From: Jeremy Rowley <jeremy.row...@digicert.com>
To: Ryan Sleevi <sle...@google.com>
Cc: CA/Browser Forum Public Discussion List <public@cabforum.org>
Subject: Re: [cabfpub] Revocation ballot v2
Message-ID: <47dace183fa443fabd19b6c286201...@ex2.corp.digicert.com>
Content-Type: text/plain; charset="utf-8"
Yeah ? pretty much, except the part about the CAB Forum. If emailing the CAB
Forum is required, I think the CA MUST provide a link to the entity submitting
the Certificate Problem Report with the discussion.
Any additional comments before I finalize and ask for endoresers?
From: Ryan Sleevi [mailto:sle...@google.com]
Sent: Tuesday, August 29, 2017 3:18 PM
To: Jeremy Rowley <jeremy.row...@digicert.com>
Cc: CA/Browser Forum Public Discussion List <public@cabforum.org>; Gervase Markham
<g...@mozilla.org>
Subject: Re: [cabfpub] Revocation ballot v2
I'm not sure if you were trying to say the same thing or propose a different
thing :)
That is, I was suggesting the normal flow be:
The CA MUST make a final determination and respond to a Problem Report within
24 hours, unless all of the following conditions are satisfied:
- The Report does not indicate that the private key was compromised or
publicly disclosed
- The Report was not provided by the Subscriber
- The CA makes a final determination and response available within 7 days of
receipt of the Problem Report
- The CA notifies the CA/Browser Forum via the questi...@cabforum.org
<mailto:questi...@cabforum.org> (as it's the only list that doesn't implicitly
impose a membership requirement; although we can certainly explore other ways) of the
Problem Report and why more than 24 hours was needed to investigate within 7 days of
receipt of the Problem Report
The CA MUST revoke the certificate within 24 hours if:
- The subscriber requests ...
- The subscriber notifies ...
- The CA obtains evidence that the Private Key ...
The CA SHOULD revoke the certificate within 24 hours and MUST revoke the
certificate within 7 days if:
- ...
Is that aligned with what you were saying? (I probably structured it poorly,
but there's the handwavy approach)
On Mon, Aug 28, 2017 at 3:38 PM, Jeremy Rowley <jeremy.row...@digicert.com
<mailto:jeremy.row...@digicert.com> > wrote:
Not hearing from any other CAs, should we state that the CA must make an
initial determination and report within 24 hours and a final report in
accordance with the other timeline?
From: Ryan Sleevi [mailto:sle...@google.com <mailto:sle...@google.com> ]
Sent: Thursday, August 24, 2017 9:18 AM
To: Jeremy Rowley <jeremy.row...@digicert.com <mailto:jeremy.row...@digicert.com> >;
CA/Browser Forum Public Discussion List <public@cabforum.org <mailto:public@cabforum.org> >
Cc: Gervase Markham <g...@mozilla.org <mailto:g...@mozilla.org> >
Subject: Re: [cabfpub] Revocation ballot v2
On Wed, Aug 23, 2017 at 11:32 PM, Jeremy Rowley via Public <public@cabforum.org
<mailto:public@cabforum.org> > wrote:
Okay - attached.
a) I added the requirement to maintain an email address for addressing
certificate problem reports to 4.9.3
b) I added a 24 hour rule for when the original certificate request was not
authorized.
Jeremy,
I'm wondering if you could speak more to what sort of challenges CAs face in
making a determination within 24 hours, versus seven days.
For example, consider a report of a CP/CPS non-compliance - which is something
entirely under the CA's control - particularly for something like a profile
violation (e.g. extensions when they said they wouldn't have them, missing
subject naming fields, wrong policies, etc). Why wouldn't a CA be able to make
a determination about compliance within 24 hours? One downside is I could see
the added time for investigation adding an incentive to delay investigating (in
order to delay revocation), rather than purely granting the flexibility
necessary for complex situations.
I think if you (or others) could share a bit more about the challenges of
investigating reports, since I think, ideally, we'd want all reports to be
taken with the same gravity and attentiveness as a potential security issue. I
ask this, because I'm wondering whether it makes sense to set the standard of
the _final_ report at 24 hours, but then allow CAs to take up to 7 days (except
for the types of reports you noted) as an exception, and with an added
requirement to disclose why they made use of the additional time.
That is, let's say someone gets report of a CP/CPS violation, and the CA
determines that the current BR language is unclear, and they need additional time
to consult with their auditors and/or the broader community. That seems a
perfectly reasonable reason to take up to the 7 days - to make sure the violation
is certain - but it also means we may not know of the potential confusion in the
language, or the auditors' conclusions, as a community. If we have those types of
situations disclosed (through, say, a public mail posting explaining why the
>24 hour investigation took place, and what the challenges were), we can, as a
community, better address those situations and work on improvements.
I'm wondering if that might address your concern about "two weeks", while also
help the community better understand the challenges so we can work to improve them (in
the case they're ambiguities) or collaboratively share best practices (in the case of
other factors)
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://cabforum.org/pipermail/public/attachments/20170830/98d6ba5b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL:
<http://cabforum.org/pipermail/public/attachments/20170830/98d6ba5b/attachment.p7s>
------------------------------
Subject: Digest Footer
_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public
------------------------------
End of Public Digest, Vol 64, Issue 88
**************************************
