[cabfpub] Require commonName in Root and Intermediate Certificates ballot draft (2)

Ryan Sleevi sleevi at google.com
Thu Apr 20 15:42:34 UTC 2017


On Thu, Apr 20, 2017 at 11:34 AM, Gervase Markham via Public <
public at cabforum.org> wrote:

> On 17/04/17 18:17, Jeremy Rowley wrote:
> > Why the sigh? I think we should have a bright-line rule about when the
> > scope/date should be in the proposed ballot vs. when the scope/date must
> be in
> > the document itself.  Otherwise, the objection to including a date in the
> > ballot v. BR text seems arbitrary.  If I understand correctly, the
> accepted
> > rule proposed is:
> >
> > 1) The only point in time action that matters is certificate issuance;
>
> I'm not sure that's quite it. The relevant point in time action is
> whatever the BR requirement is about. So requirements about data
> gathering relate to when data is gathered; requirements about data reuse
> relate to when data is reused, and so on.
>

Interesting, because I think there may be a small but significant
disagreement here.

That is, if BRs 1.x say:
1. You must gather data using method Foo
2. You may reuse data for up to 12 months
3. You must have data before doing X

and a later BRs 2.x say:
1. You must gather data using method Bar
2. You may reuse data for up to 12 months
3. You must have data before doing X


It sounds like your interpretation is that "#2" reads "Using this, or any
previous, method". Our view is that #2 is contingent and linked to #1 -
That is, if Foo is not acceptable, then Foo is not acceptable, full stop.
All certificates issued - whether they're for an existing or new validation
- should follow the same standards.

I think your interpretation would make it more detrimental for the
ecosystem, because a customer who used method Foo to obtain a certificate,
but then wishes to change CAs, must now use method Bar, whereas if they
keep the same CA, they can keep using Foo. Similarly, it means for any
certificate issued on-or-after BRs 2.x, you cannot be sure whether method
Foo or method Bar were used. New certificates MUST use method Bar, but
existing data may have used method Foo, and thus be weaker assurance and
security.

So requirements about data gathering apply both when it is gathered and
reused. Requirements about data reuse apply when it is reused. And so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170420/f24fda76/attachment-0003.html>


More information about the Public mailing list