On Thu, Aug 30, 2018 at 6:24 PM Ryan Sleevi <[email protected]> wrote:
> > > On Thu, Aug 30, 2018 at 6:41 PM Wayne Thayer via Servercert-wg < > [email protected]> wrote: > >> On Thu, Aug 30, 2018 at 10:42 AM Ryan Sleevi <[email protected]> wrote: >> >>> Thanks Wayne. >>> >>> I know you're intentionally avoiding the controversial cleanups with >>> this specific Ballot, so it will be good to have a follow-on discussion for >>> those matters, as CAs will no doubt having to make only one update to their >>> CP/CPS versus two. Or, differently stated, I'd hope that the argument for >>> making two updates doesn't preclude discussion of those additional cleanups >>> and ambiguities. >>> >>> In reviewing this language in full, a much needed cleanup, one area that >>> stuck out to me, and which may not need to be resolved, but worth >>> considering, are the requirements for revocation if the CA is "made aware >>> of a material change in the information contained in the certificate" (#6 >>> in the 5 day range) and if the CA "determines that any of the information >>> appearing in the Certificate is inaccurate" >>> >>> One thing that stuck out was "made aware" versus "determines" - and >>> whether that distinction is significant (all of the other relevant language >>> in this section uses "made aware"). This is, admittedly, a carry over, but >>> I'm curious if there is any significance/impact to changing this to "made >>> aware" >>> >>> The next thing that stuck out is determining whether "material change in >>> the information" and "is inaccurate" are, in fact, different. Are there >>> cases where the information is inaccurate due to an (immaterial) change? >>> Are there material changes that don't result in inaccuracy? This couples >>> with the above to leave it a bit messy and gray as to how the CA may >>> classify things. >>> >>> In looking at Section 9.6.1, regarding the CA's warranties, it seems our >>> goal is to provide relying parties both assertions on the correctness of >>> the information at the time it was issued, as well as that the information >>> is correct on an ongoing basis (c.f. 9.6.1 (8)). In terms of predictability >>> and clear expectations for CAs, the determination of material/immaterial, >>> and the flexibility for determination in general, seems to set up potential >>> conflict with the needs of Relying Parties and Subscribers, and leave CAs >>> in a bit of the messy place that some of this ballot tries to get them >>> sorted out from. >>> >>> >>> I hope this will prove to be uncontroversial, but the concrete >>> suggestions I would have are: >>> 1) Strike "material" from 4.9.1.1, p2, Item 6, to read "The CA is made >>> aware of a change in the information contained in the certificate" >>> >> > >> I suspect that this is controversial and am not sure that I agree with >> the proposed change. For example, when GoDaddy removed the space from their >> former name "Go Daddy", that would, in my opinion, have been an immaterial >> change to the content of any certificate containing "Go Daddy" in the O >> field. Other examples might include capitalization and punctuation. While I >> dislike ambiguities and the abuse they invite, this is a case where I think >> it is acceptable, if not necessary. >> > > But aren't these distinct organizations? > > In what sense? Certainly in the physical world they are the same. > > If I were to look up, say, in a business registry, I wouldn't find both > entries as current, would I? One might be a tradename, or a historic note, > but there could be an entity "Go Daddy" and an entity "GoDaddy" once the > organization itself renamed itself, if I'm not mistaken. > > This is perhaps not a good example given the complex corporate structure, and I don't know the full history, but I think it makes my point which is that this is a controversial change. > > > >> > >> >>> 2) Change "determines" to "is made aware" in 4.9.1.1, p2, Item 8, to >>> read "The CA is made aware that any of the information appearing in the >>> Certificate is inaccurate." >>> >> > >> I don't have strong feelings about this, but I do make some distinction >> between "determining" (on its own) and "being made aware of" (by someone >> else). I prefer the current language because it makes some admittedly minor >> distinction between these two reasons. >> > > Although there's currently no trigger for the duration between the CA > being made aware of such information and making a determination. For > example, if a problem report arrives with inaccurate information, the CA > may take two weeks to make such a determination, and upon making a > determination, decide to revoke. They might, as part of both their > preliminary and final report, note that they have not yet determined that > the information is inaccurate. > > I see your point, but it assumes that a CA can 'be made aware that any of the information appearing in the Certificate is inaccurate' without triggering reason #6 ('made aware of a material change in the information contained in the Certificate'), which seems unlikely. My concern with your proposal is that a CA could interpret "is made aware of" as only applying when a 3rd party reports a problem. Would a change to 'determines or is made aware of' resolve both concerns?
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
