[cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016

Wayne Thayer wthayer at godaddy.com
Wed Oct 26 20:40:37 UTC 2016

As a CA with an OCSP responder certificate that expires in February, my only option is to cram a ceremony to issue the new cert into December. Of course this is my own problem and is still a problem if we weren't about to change the rules, but that's my motivation for asking the question.

Moreover, without formal approval of this rule change, every CA that wishes to maintain SHA-1 OCSP signing capability is left with a dilemma - do I assume the ballot will eventually pass, or do I cram in a ceremony to create a long-lived SHA-1 responder certificate before the deadline?

I accept that neither of these reasons amount to a crisis worthy of throwing the Forum rulebook out the window. I do think that the discussion has been helpful in highlighting what might be an inconsistency between the bylaws and the IPR policy, and to serve as an example of the problem with having a 50+ day balloting process. The current situation is unique, but I'll be surprised if it's the last time that we're looking for a way to "rush" through a ballot.



> -----Original Message-----
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Geoff
> Keating via Public
> Sent: Wednesday, October 26, 2016 12:15 PM
> To: Ryan Sleevi <sleevi at google.com>
> Cc: CABFPub <public at cabforum.org>
> Subject: Re: [cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016
> I don’t see the urgency here.  If we follow regular process (that is, allow
> ballot 180 to complete, and then propose ballot 184 in mid-January), it can be
> complete by end February.  This means you can’t issue new OCSP signing
> certificates for a 2-month period, but considering that Entrust’s OCSP
> certificates appear to be valid for 3 years, it doesn’t seem like a huge
> imposition to ask you to check for any that expire in, say, the first half of 2017
> and if so generate a new one before the end of the year.
> > On 26 Oct. 2016, at 11:49 am, Ryan Sleevi via Public <public at cabforum.org>
> wrote:
> >
> >
> >
> > On Wed, Oct 26, 2016 at 11:45 AM, Kirk Hall
> <Kirk.Hall at entrustdatacard.com> wrote:
> > I think we may be making too much of all this.  If we have both an old style
> ballot to make the change now following the procedures in our Bylaws and
> our past practices, at the very least we will have added the change to our
> Draft Guidelines with everything else.
> >
> >
> >
> > If we simultaneously add the change to Ballot 180, we will also be following
> the procedures in our IPR Policy and our new practices, and Ballot 180, once
> adopted on Jan. 7 will effectively override the previous old style ballot.  We
> would move faster if we could on Ballot 180 to avoid having to follow this
> process, but it’s not possible.
> >
> >
> > Can you explain what you mean by "simultaneously"? I tried to highlight
> the issue with your proposal before, but perhaps it would be better if you
> restate.
> >
> > We can do several things, but as I see it, your suggestion of "simultaneous"
> is to vote on 184 while also modifying 180. This implies that the results of 184
> are irrelevant for the modification of 180, which seems a dangerous
> precedent to set, and otherwise pointless to vote on 184.
> >
> > If you mean that 180 follows the completion of 184, then it means
> withdrawing 180, as I explained previously. That's fine, it just means delaying
> it.
> >
> > So it’s  win-win, and I see no harm from following a dual track for this single
> time-sensitive issue.  Remember also that the purpose of our IPR Policy is to
> detect whether or not there are potential IP claims relating to a draft
> guideline – in this case, I don’t see how Wayne’s proposed amendment
> could possibly impact anyone’s claimed IP.
> >
> >
> > I appreciate your perspective, but I don't believe your perspective provides
> the legal assurances that members want, and for which our IPR policy is
> designed to assure. That's the point - we shouldn't be speculating about IP
> impact, we should follow a consistent process.
> > _______________________________________________
> > Public mailing list
> > Public at cabforum.org
> > https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list