[cabf_validation] [EXTERNAL]Concerns regarding Ballot 218

Tim Hollebeek tim.hollebeek at digicert.com
Thu Jan 18 07:29:11 MST 2018


If people need more time to get off of #1, and that's what it takes to get it passed, I'm personally very open to that.  I've privately heard that feedback from several other people.

 Some of our timelines have, historically, been too short, and caused more harm than good.

-Tim

> -----Original Message-----
> From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of
> Bruce Morton via Validation
> Sent: Thursday, January 18, 2018 6:49 AM
> To: CA/Browser Forum Validation WG List <validation at cabforum.org>
> Cc: Jürgen Brauckmann <brauckmann at dfn-cert.de>
> Subject: Re: [cabf_validation] [EXTERNAL]Concerns regarding Ballot 218
> 
> Forwarded on behalf of Jürgen.
> 
> Bruce.
> 
> -----Original Message-----
> From: Jürgen Brauckmann [mailto:brauckmann at dfn-cert.de]
> Sent: January 18, 2018 4:43 AM
> To: Curt Spann <cspann at apple.com>; Bruce Morton
> <Bruce.Morton at entrustdatacard.com>
> Cc: Dimitris Zacharopoulos <jimmy at it.auth.gr>; Gervase Markham
> <gerv at mozilla.org>; md at ssc.lt; geoffk at apple.com;
> Mike.Reilly at microsoft.com; Kim.Nguyen at bdr.de; Arno.Fiedler at bdr.de; Kirk
> Hall <Kirk.Hall at entrustdatacard.com>; Ralf Groeper <groeper at dfn.de>;
> Reimer Karlsen-Masur, DFN-CERT <karlsen-masur at dfn-cert.de>
> Subject: Re: [EXTERNAL]Concerns regarding Ballot 218
> 
> Yes, you can forward this mail to the validation working group.
> 
> Regarding the time period: Obviously no one from the original proposers took
> into account that there may be CAs which use only 3.2.2.4.1 and 3.2.2.4.5.
> 
> So, the time period must cover the necessary effort to implement new
> processes and supporting systems for other validation methods.
> 
> This includes all the lenghty stuff that a responsible, BR-compliant organization
> is supposed to do like external pen testing if it turns out that the changes are
> significant.
> 
> Additionally, the proposed ballot forces a complete revalidation workload not
> only on the affected CAs, but also on the customers. So, the timeframe must
> take into account that there (again) will be a peek of revalidation activity,
> which will not be magically done overnight.
> 
> I don't know how fast other organizations can do such changes, but for us 6
> months sound like a reasonable period.
> 
> Thanks,
>     Jürgen
> 
> Am 17.01.2018 um 19:19 schrieb Curt Spann:
> > I think this should be discussed with the broader group either in the
> validation working group or CAB Forum public list.
> >
> > Since you feel March 01, 2018 is too short of a time period, what time period
> do you feel is reasonable and would not constitute an emergency on your part?
> >
> > Cheers,
> > Curt
> >
> >> On Jan 17, 2018, at 7:35 AM, Bruce Morton
> <Bruce.Morton at entrustdatacard.com> wrote:
> >>
> >> Hi Jürgen,
> >>
> >> I agree with your position. The timeframe is too short and the proposed
> ballot does feel anti-competitive.
> >>
> >> Do you mind if I forward your email to the Validation Working Group?
> >>
> >> Thanks, Bruce.
> >>
> >> -----Original Message-----
> >> From: Jürgen Brauckmann [mailto:brauckmann at dfn-cert.de]
> >> Sent: January 17, 2018 10:23 AM
> >> To: Dimitris Zacharopoulos <jimmy at it.auth.gr>; Bruce Morton
> >> <Bruce.Morton at entrustdatacard.com>; Gervase Markham
> >> <gerv at mozilla.org>; md at ssc.lt; geoffk at apple.com;
> >> Mike.Reilly at microsoft.com; Kim.Nguyen at bdr.de; Arno.Fiedler at bdr.de;
> >> cspann at apple.com
> >> Cc: Ralf Groeper <groeper at dfn.de>; Reimer Karlsen-Masur, DFN-CERT
> >> <karlsen-masur at dfn-cert.de>
> >> Subject: [EXTERNAL]Concerns regarding Ballot 218
> >>
> >> Hello,
> >>
> >> we are operating the PKI services for the German Research Network; our
> non-commercial PKI chains up to Deutsche Telekom Root CA 2 and T-Telesec
> GlobalRoot Class 2, and is in heavy use by all academic and research
> institutions in Germany.
> >>
> >> We have been following the discussion on ballot 218 in the CA/Browser
> Forum the last days and are worried about the intended time frame.
> >>
> >> While we do understand and support the fundamental arguments
> concerning the validation methods in question, we are from our point of view
> not in a situation where "emergency fixes" are necessary. We thus think that
> the intended effective date for this ballot (March 01 2018) has to be moved to
> a later date, e.g. by six months.
> >>
> >> The proposed short-term invalidation of broadly used validation methods
> not only forces CAs to implement new methods on very short notice but also
> invalidates all existing validations that were already conducted and are still
> (within 825 days) valid. Implementing new validation methods in a hurry also
> increases the risk that the new processes are not tested well enough before
> being used.
> >>
> >> We strongly feel that with this short timeframe, CAs that already now rely
> on the then remaining validation methods would have an unfair competitive
> advantage. Other CAs that cannot change all their validation methods in time
> and/or re-validate all validations using new methods will be in serious trouble,
> as will be their customers/users that have to change their own internal PKI
> processes on short notice.
> >>
> >> Additionally, this would pose a precedent for the future with all changes in
> BR being implemented with unnecessary short lead times for the advantage of
> some and the disadvantage of others.
> >>
> >> We think that your CAs/Users are also at least affected partially by this and
> we hope that ballot 218 will not pass in this form or, alternatively, a more
> reasonable ballot will be presented in CA/B-Forum.
> >>
> >> Best regards,
> >>     Jürgen
> >>
> >> --
> >> Dipl. Inform. Jürgen Brauckmann (PKI Team), Phone +49 40 808077-627
> >>
> >>
> https://clicktime.symantec.com/a/1/hwSm_ZMFRp65ErXFAWX0Kq2tYosLXBO
> K_f
> >> ATX4nuhy4=?d=nbMvxiwqDlxo4HYzeBjmiHBbeuCOAGkH6AHt8Wwa0d-
> oB2snKVIOA_Hm
> >> K9oIj008O7U8QMBFbQoe8mdnJEVsE6h_sQLyvZ65lMD-9-
> LXgiKv1jyGiDAY8DJvAu01c
> >> YevkBKXNqNVb8TaqMKANqNaFPaziXD8Dod_4FJEb5KCWAXzm-
> r6pFmCpyub677KqwOA6C
> >> n09hBBcZdc95pyLLUfUkUdJfsufqmKCq-aneO9xPh_Pwj2SN96lu3pM-
> JuRGsz5bPxilk
> >> xvEITVvZNx9TW_VONFcpPn5Wu7-
> umVZFBW_BAciBxoCseGB46YL9wEILsdFoEmAI6jlXJ
> >>
> dZXxmf81S_fGOt8W1dJhPaJAEi05sIGJA_BKfT3ZnO3KdgOaCdOOWiBVyL6nL_Q
> HQ2wxE
> >> oH08u4waOf-59df1oSSyzThF6RnJm_42iDhb-
> PLvnt_y3xzmkVm9Q%3D%3D&u=https%3
> >> A%2F%2Fblog.pki.dfn.de
> >>
> >> DFN-CERT Services GmbH,
> >> https://clicktime.symantec.com/a/1/1nB189P-A5hiZqdYvHdWwUCeV0v-
> UwjoRD
> >> bIO5Fz4QM=?d=nbMvxiwqDlxo4HYzeBjmiHBbeuCOAGkH6AHt8Wwa0d-
> oB2snKVIOA_Hm
> >> K9oIj008O7U8QMBFbQoe8mdnJEVsE6h_sQLyvZ65lMD-9-
> LXgiKv1jyGiDAY8DJvAu01c
> >> YevkBKXNqNVb8TaqMKANqNaFPaziXD8Dod_4FJEb5KCWAXzm-
> r6pFmCpyub677KqwOA6C
> >> n09hBBcZdc95pyLLUfUkUdJfsufqmKCq-aneO9xPh_Pwj2SN96lu3pM-
> JuRGsz5bPxilk
> >> xvEITVvZNx9TW_VONFcpPn5Wu7-
> umVZFBW_BAciBxoCseGB46YL9wEILsdFoEmAI6jlXJ
> >>
> dZXxmf81S_fGOt8W1dJhPaJAEi05sIGJA_BKfT3ZnO3KdgOaCdOOWiBVyL6nL_Q
> HQ2wxE
> >> oH08u4waOf-59df1oSSyzThF6RnJm_42iDhb-
> PLvnt_y3xzmkVm9Q%3D%3D&u=https%3
> >> A%2F%2Fwww.dfn-cert.de, Phone +49 40
> >> 808077-580 Sitz / Register: Hamburg, AG Hamburg, HRB 88805,
> >> Ust-IdNr.: DE 232129737 Sachsenstraße 5, 20097 Hamburg/Germany, CEO:
> >> Dr. Klaus-Peter Kossakowski
> >
> 
> --
> Dipl. Inform. Jürgen Brauckmann (PKI Team), Phone +49 40 808077-627
> 
> https://clicktime.symantec.com/a/1/hwSm_ZMFRp65ErXFAWX0Kq2tYosLXBO
> K_fATX4nuhy4=?d=nbMvxiwqDlxo4HYzeBjmiHBbeuCOAGkH6AHt8Wwa0d-
> oB2snKVIOA_HmK9oIj008O7U8QMBFbQoe8mdnJEVsE6h_sQLyvZ65lMD-9-
> LXgiKv1jyGiDAY8DJvAu01cYevkBKXNqNVb8TaqMKANqNaFPaziXD8Dod_4FJEb5
> KCWAXzm-r6pFmCpyub677KqwOA6Cn09hBBcZdc95pyLLUfUkUdJfsufqmKCq-
> aneO9xPh_Pwj2SN96lu3pM-JuRGsz5bPxilkxvEITVvZNx9TW_VONFcpPn5Wu7-
> umVZFBW_BAciBxoCseGB46YL9wEILsdFoEmAI6jlXJdZXxmf81S_fGOt8W1dJhPa
> JAEi05sIGJA_BKfT3ZnO3KdgOaCdOOWiBVyL6nL_QHQ2wxEoH08u4waOf-
> 59df1oSSyzThF6RnJm_42iDhb-
> PLvnt_y3xzmkVm9Q%3D%3D&u=https%3A%2F%2Fblog.pki.dfn.de
> 
> DFN-CERT Services GmbH, https://clicktime.symantec.com/a/1/1nB189P-
> A5hiZqdYvHdWwUCeV0v-
> UwjoRDbIO5Fz4QM=?d=nbMvxiwqDlxo4HYzeBjmiHBbeuCOAGkH6AHt8Wwa0
> d-oB2snKVIOA_HmK9oIj008O7U8QMBFbQoe8mdnJEVsE6h_sQLyvZ65lMD-9-
> LXgiKv1jyGiDAY8DJvAu01cYevkBKXNqNVb8TaqMKANqNaFPaziXD8Dod_4FJEb5
> KCWAXzm-r6pFmCpyub677KqwOA6Cn09hBBcZdc95pyLLUfUkUdJfsufqmKCq-
> aneO9xPh_Pwj2SN96lu3pM-JuRGsz5bPxilkxvEITVvZNx9TW_VONFcpPn5Wu7-
> umVZFBW_BAciBxoCseGB46YL9wEILsdFoEmAI6jlXJdZXxmf81S_fGOt8W1dJhPa
> JAEi05sIGJA_BKfT3ZnO3KdgOaCdOOWiBVyL6nL_QHQ2wxEoH08u4waOf-
> 59df1oSSyzThF6RnJm_42iDhb-
> PLvnt_y3xzmkVm9Q%3D%3D&u=https%3A%2F%2Fwww.dfn-cert.de, Phone
> +49 40 808077-580 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-
> IdNr.: DE 232129737 Sachsenstraße 5, 20097 Hamburg/Germany, CEO: Dr.
> Klaus-Peter Kossakowski
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://clicktime.symantec.com/a/1/OTcrU97U1Aio2npzc630_GPDdJ2MTbLIV
> a1NwkhOoP4=?d=nbMvxiwqDlxo4HYzeBjmiHBbeuCOAGkH6AHt8Wwa0d-
> oB2snKVIOA_HmK9oIj008O7U8QMBFbQoe8mdnJEVsE6h_sQLyvZ65lMD-9-
> LXgiKv1jyGiDAY8DJvAu01cYevkBKXNqNVb8TaqMKANqNaFPaziXD8Dod_4FJEb5
> KCWAXzm-r6pFmCpyub677KqwOA6Cn09hBBcZdc95pyLLUfUkUdJfsufqmKCq-
> aneO9xPh_Pwj2SN96lu3pM-JuRGsz5bPxilkxvEITVvZNx9TW_VONFcpPn5Wu7-
> umVZFBW_BAciBxoCseGB46YL9wEILsdFoEmAI6jlXJdZXxmf81S_fGOt8W1dJhPa
> JAEi05sIGJA_BKfT3ZnO3KdgOaCdOOWiBVyL6nL_QHQ2wxEoH08u4waOf-
> 59df1oSSyzThF6RnJm_42iDhb-
> PLvnt_y3xzmkVm9Q%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman
> %2Flistinfo%2Fvalidation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180118/4a0e103a/attachment-0001.p7s>


More information about the Validation mailing list