[cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016

Jeremy Rowley jeremy.rowley at digicert.com
Wed Oct 26 18:00:28 UTC 2016

I’m not sure if there is consensus on Virigina’s interpretation. We haven’t even had a straw poll to agree/disagree on the issue. 


That’s my interpretation more or less with one point. I don’t see a draft guideline that hasn’t completed the IPR as non-binding. The difference between a “draft guideline” and “final guideline” is purely an IPR semantic where a draft simply hasn’t undergone the exclusion notice period. This does nothing to affect the legitimacy of the ballot passed using the process described in the bylaws. The definition of a draft ballot is only that the IP status is unknown.


From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Wednesday, October 26, 2016 11:38 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016




On Wed, Oct 26, 2016 at 10:02 AM, Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> > wrote:

It’s important because a draft guideline isn’t non-binding on the CAB Forum membership. The bylaws clearly spell out how a ballot takes place:


(c)  A representative of any Member can call for a proposed ballot to be published for review and comment by the membership. Any proposed ballot needs two endorsements by other Members in order to proceed. The review period then shall take place for at least seven calendar-days before votes are cast. 


(d)  The CA/Browser Forum shall provide seven calendar-days for voting, with the deadline clearly communicated via the members’ electronic mailing list. All voting will take place online via the members’ electronic mailing list. 


(g) A ballot result will be considered valid only when more than half of the number of currently active members has participated. The number of currently active members is the average number of member organizations that have participated in the previous three meetings (both teleconferences and face-to-face meetings).


This tells me the ballot is effective when passed. The IPR spells out how to handle IP claims, not when a ballot becomes effective. After the ballot passes, we have a 60 day window to review and submit disclosure statements, which is handling the IP issues, not the effectiveness of the previous ballot. This is the issue I was trying to point out in the face to face. Ballot 169 passed and is required by the membership under the bylaws but has not finished the IP review. Although it’s still technically a “draft guideline” until the IPR finishes, there’s nothing in the bylaws or IPR (that I’m aware of) that says a draft ballot isn’t a binding requirement on the membership if that draft has been voted on using the process set up in the bylaws.




This seems to be a substantially different interpretation of the workflow than previously (or currently) being advanced with respect to Ballot 180/181/182. While it may not be wrong, I think it's worth highlighting this element of disagreement, especially with the workmode that has been described within our IPR policy.


In it, you're advocating Ballot, then Review, then adoption. However, Virginia has, on several calls now, put forward an interpretation that suggests Review, then Ballot - under the view that members can't vote to adopt what they don't know is encumbered.


For what it's worth, I'm exceptionally sympathetic to your view, as I think it engages a more productive work model - the Forum, through the Contributions of it members, produces a Ballot that amends an existing (Draft, Final) Guideline. Should the Ballot pass, it becomes an (unapproved) Final or Final Maintenance Guideline, triggering the IPR review period (of 30 to 60 days). If that review period completes, without issue, it is approved as a Final/FMG. If there is an issue, a PAG is convened. This interpretation is supported by 7.1's PAG formation describing working on a "Final Guideline" or "Final Maintenance Guideline" - which is only possible if a ballot has succeeded, but the FG/FMG is unapproved (due to the IPR issue).


However, the counter-view that's been expressed is that the interpretation of the IPR policy's clause, in 4.1, of "Prior to the approval of", indicates that the Review Notice period happens before the Ballot. This is what has been discussed several times, and the discussions related to Straw Polls in order to reduce the need for legal engagement with counsel for ballots that will not be adopted by the Forum. In this interpretation, because the PAG may require modification to the documents in order to address concerns - up to and including removing the Essential Claim from the FG/FMG - then it's natural to state that the documents cannot be balloted until after the PAG has formed.



I highlight this distinction because I think it's key to understanding what we view the input documents to such a ballot as, which directly affects the Review Notice period.


The current suggestion, as I understand it, is to treat the ballots prior to 180 as, effectively, Draft Guidelines (due to the inconsistencies in the IPR policy), re-adopt this as Final Guidelines with a 60 day review, and then Ballots 181 and 182 represent Final Maintenance Guidelines, using the latter interpretation (IPR Review -> Ballot).


As such, it creates a conflict for what an OCSP Ballot 184 would be on - if we accept the current documents are Draft Guidelines, as 180 suggests, then

1) We don't necessarily need ballots for Draft Guidelines. That's not to say we can't, but simply the DG is a "non-binding" document, because it hasn't undergone the IPR review that would allow for its approval as a Final Guideline. I use quotes here, because we know root stores view the situation as binding (from the POV of root programs), but it's not an Officially Approved CABForum work product - much like the code signing docs.

2) If we accept the goal is to ensure it becomes an FG, then we need a 60 day IPR review policy to transition from DG to FG, and that doesn't address the timing concern.


Again, I'm not trying to suggest that a Ballot to formally judge members' reactions to such a change is, but I don't think the output of such a ballot will be an FG/FMG, which I believe is the interpretation Kirk was implying in his suggestion of doing it in the "old" fashion. Instead, it would be another DG.


If we accept the output is a DG, then either we're producing two DGs (the input to Ballot 180, and the output of Ballot 184 OCSP), or we're ignoring the results of Ballot 184 and simply assuming they'll pass - as I believe Kirks' suggestion to modify the input of Ballot 180 represents.


That's why I was trying to offer a more concrete, unambiguous path:

- Strawpoll to modify the DG that is input to Ballot 180 to accomodate Wayne's change

- If we conduct the Strawpoll using the same voting period as an actual Ballot (7 day review, 7 day vote), then it means withdrawing and resubmitting Ballot 180, since it would already be after the voting period concluded

- Otherwise, we conduct a compressed strawpoll (and you've already heard explicit and implicit support from at least 3 vendors, so it doesn't seem this would be a bad thing)

- Integrating that result into Ballot 180

- Voting on Ballot 180 to transition from a DG to an FG with full IPR review


Have I misunderstood both the justification of Ballot 180 and the differing views expressed so far about the IPR policy and workmode? It may be an oversimplified summary of the different interpretations, but I believed at this point, consensus (explicit and implicit) had settled on the latter workmode of "Review -> Ballot", as advanced by Virginia.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161026/6359d011/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161026/6359d011/attachment-0001.p7s>

More information about the Public mailing list