On Thu, Aug 30, 2018 at 6:41 PM Wayne Thayer via Servercert-wg < [email protected]> wrote:
> On Thu, Aug 30, 2018 at 10:42 AM Ryan Sleevi <[email protected]> wrote: > >> Thanks Wayne. >> >> I know you're intentionally avoiding the controversial cleanups with this >> specific Ballot, so it will be good to have a follow-on discussion for >> those matters, as CAs will no doubt having to make only one update to their >> CP/CPS versus two. Or, differently stated, I'd hope that the argument for >> making two updates doesn't preclude discussion of those additional cleanups >> and ambiguities. >> >> In reviewing this language in full, a much needed cleanup, one area that >> stuck out to me, and which may not need to be resolved, but worth >> considering, are the requirements for revocation if the CA is "made aware >> of a material change in the information contained in the certificate" (#6 >> in the 5 day range) and if the CA "determines that any of the information >> appearing in the Certificate is inaccurate" >> >> One thing that stuck out was "made aware" versus "determines" - and >> whether that distinction is significant (all of the other relevant language >> in this section uses "made aware"). This is, admittedly, a carry over, but >> I'm curious if there is any significance/impact to changing this to "made >> aware" >> >> The next thing that stuck out is determining whether "material change in >> the information" and "is inaccurate" are, in fact, different. Are there >> cases where the information is inaccurate due to an (immaterial) change? >> Are there material changes that don't result in inaccuracy? This couples >> with the above to leave it a bit messy and gray as to how the CA may >> classify things. >> >> In looking at Section 9.6.1, regarding the CA's warranties, it seems our >> goal is to provide relying parties both assertions on the correctness of >> the information at the time it was issued, as well as that the information >> is correct on an ongoing basis (c.f. 9.6.1 (8)). In terms of predictability >> and clear expectations for CAs, the determination of material/immaterial, >> and the flexibility for determination in general, seems to set up potential >> conflict with the needs of Relying Parties and Subscribers, and leave CAs >> in a bit of the messy place that some of this ballot tries to get them >> sorted out from. >> >> >> I hope this will prove to be uncontroversial, but the concrete >> suggestions I would have are: >> 1) Strike "material" from 4.9.1.1, p2, Item 6, to read "The CA is made >> aware of a change in the information contained in the certificate" >> > > > I suspect that this is controversial and am not sure that I agree with the > proposed change. For example, when GoDaddy removed the space from their > former name "Go Daddy", that would, in my opinion, have been an immaterial > change to the content of any certificate containing "Go Daddy" in the O > field. Other examples might include capitalization and punctuation. While I > dislike ambiguities and the abuse they invite, this is a case where I think > it is acceptable, if not necessary. > But aren't these distinct organizations? If I were to look up, say, in a business registry, I wouldn't find both entries as current, would I? One might be a tradename, or a historic note, but there could be an entity "Go Daddy" and an entity "GoDaddy" once the organization itself renamed itself, if I'm not mistaken. > > > >> 2) Change "determines" to "is made aware" in 4.9.1.1, p2, Item 8, to read >> "The CA is made aware that any of the information appearing in the >> Certificate is inaccurate." >> > > > I don't have strong feelings about this, but I do make some distinction > between "determining" (on its own) and "being made aware of" (by someone > else). I prefer the current language because it makes some admittedly minor > distinction between these two reasons. > Although there's currently no trigger for the duration between the CA being made aware of such information and making a determination. For example, if a problem report arrives with inaccurate information, the CA may take two weeks to make such a determination, and upon making a determination, decide to revoke. They might, as part of both their preliminary and final report, note that they have not yet determined that the information is inaccurate.
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
