[cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016

Ryan Sleevi sleevi at google.com
Wed Oct 26 18:20:41 UTC 2016 

On Wed, Oct 26, 2016 at 11:00 AM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:

> I’m not sure if there is consensus on Virigina’s interpretation. We
> haven’t even had a straw poll to agree/disagree on the issue.
>
>
>
> That’s my interpretation more or less with one point. I don’t see a draft
> guideline that hasn’t completed the IPR as non-binding. The difference
> between a “draft guideline” and “final guideline” is purely an IPR semantic
> where a draft simply hasn’t undergone the exclusion notice period. This
> does nothing to affect the legitimacy of the ballot passed using the
> process described in the bylaws. The definition of a draft ballot is only
> that the IP status is unknown.
>

The consequence of this interpretation is whether you expect auditors to
have their criteria reflect DGs or FGs.

If OCSP Ballot 184 produces another DG, then I don't believe it's something
we'd want to suggest auditors incorporate into their criteria, or use that
to influence their opinions of finding, because effectively any member can
produce a DG at any time. What's meaningful and matters is whether it's
formally approved as an FG/FMG - which, in both interpretations, and as
stated in the IPR policy, can only happen after the review period.

I think using terms like 'binding' and 'legitimacy' are perhaps going to
distract from the issue - since binding is a property of root programs'
expectations (and the associated audit criteria), and 'legitimacy' is a
matter of following the Bylaws and IPR Policy.

As a concrete example of potential problems with this interpretation:
If a member produces a DG that says "Do whatever you want", should auditors
incorporate that into their audit criteria?
  - If we say "yes", well, we're doomed
  - If we say "No, not until it's been affirmed by a Ballot", but do not
wait until the completion of the Review Period, then its possible that
auditors will incorporate IP-encumbered requirements within their audit
criteria, and any CA that fails to license such technology may be at risk
of receiving a qualified audit.

That's why I think, independent of Ballot -> Review or Review -> Ballot,
the ability to incorporate into auditable criteria and guidance can only be
done after the completion of both. If we're in agreement there, then we're
back to the question of whether or not the combination can complete in
sufficient time.

The only way to reduce the Review Period is to take a view that an OCSP
Ballot 184 is an FMG, meaning 30 day review, since if it's a DG/FG, the
review period is 60 days.

So in order to meet Wayne's need, without setting a dangerous precedent as
explained with the example above, we'd have to interpret it as an FMG, but
I believe the discussion to date does not support that interpretation,
because there's no clear FG to be used as the input to OCSP Ballot 184.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161026/9c1b4f2b/attachment-0003.html>

More information about the Public mailing list