[cabf_validation] CRL Validity Interval Ballot

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Wed Oct 13 14:05:12 UTC 2021

On 13/10/2021 4:44 μ.μ., Ryan Sleevi wrote:
> On Wed, Oct 13, 2021 at 9:36 AM Dimitris Zacharopoulos (HARICA) 
> <dzacharo at harica.gr <mailto:dzacharo at harica.gr>> wrote:
>     I assume that the majority of Members would be in favor of making
>     a requirement unambiguous in the BRs that can be measured
>     consistently across the board.
> Right, I think we're in agreement here, but your restating it makes me 
> think you may believe we're in disagreement?

I wasn't sure because in your last comment you mentioned that some Root 
Programs describe requirements in months to allow more flexibility, and 
I got a feeling you didn't want to see more specificity in the BRs. It 
appears that you re-confirmed it, so I got a bit more confused but 
hopefully things will be clearer soon :)

>     I recommend we use this opportunity to fix the existing bug in
>     4.9.10 and set an reasonable effective date for CAs to update
>     their validity period configurations for CRLs and OCSP measured in
>     days instead of months. This may result in stricter requirements
>     than the existing Root program requirements (would that be a
>     first???) but this doesn't necessarily mean it is problematic.
> I'm not sure I understand this point. I just tried to explain why it'd 
> be problematic, which is something we discussed quite a bit several 
> years ago, with feedback from WebTrust in particular on this point 
> about the misalignment between days and calendrical events. Root 
> programs took that feedback into consideration, and that's why the 
> approach I mentioned specifically exists to reduce the risk of 
> compliance issues. It's unclear if you believe those concerns to be 
> unfounded or unnecessary, or if I just didn't communicate this well.

4.9.7 and 4.9.10 have a nextUpdate requirement for Root CRLs and OCSP 
responses, and this is set for 12 months. Do we want the same level of 
"accuracy" as the CRL/OCSP responses of Subordinate CAs? If we do not, 
then we can focus on language about just the CRLs/OCSP responses issued 
by "online" CAs, as Wayne has already done at the proposed ballot and 
there is no need to make further changes to the BRs.

If I understand your position, you believe we should be specific (to the 
second) only for specific requirements, such as those linked to RFC 5280 
(validity of a certificate, validity period of a CRL/OCSP response) and 
not the other cases (related to request tokens, audit reports, etc). Is 
that accurate?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20211013/430bb6d9/attachment-0001.html>

More information about the Validation mailing list