[cabf_validation] [External Sender] Re: Multi-Perspective Issuance Corroboration Updates

Adriano Santoni adriano.santoni at staff.aruba.it
Tue Oct 24 07:24:24 UTC 2023 

Thank you Ryan,

yes, your edits are fine to me.

Adriano


Il 23/10/2023 18:44, Ryan Dickson ha scritto:
> NOTICE: Pay attention - external email - Sender is ryandickson at google.com
>
>
>
> Hi Adriano,
>
>
> Thank you for your review of the latest 
> <https://github.com/ryancdickson/staging/pull/8> proposal to 
> incorporate "Multi-Perspective Issuance Corroboration" ("MPIC") 
> requirements into the TLS Baseline Requirements.
>
>
> Responses to your comments are inline below.
>
>
>     1) I cannot seem to find an explicit requirement that a CA uses at
>     least two (2) Remote Network Perspectives. That can be inferred
>     from the Quorum Requirements table in 3.2.2.9, sure, but it would
>     probably be better (IMO) if it was explicit.
>
>
> The "Quorum Requirements" table describes the maximum number of 
> allowed "non-corroborations" given the number of distinct remote 
> network perspectives used for an MPIC attempt. The end of 3.2.2.9 
> presents the "Phased Implementation Timeline," which describes 
> implementation milestones that strengthen over time. Over the proposed 
> implementation timeline, quorum requirements increase from undefined 
> (during the period where CAs SHOULD be implementing MPIC but are not 
> otherwise required) to 5+ (beginning in December 2026).
>
>
> I've noticed some of my formatted emails aren't preserved well on the 
> Mail archive (example 
> <https://archive.cabforum.org/pipermail/servercert-wg/2023-July/003825.html>), 
> so I've also described this implementation in a GitHub comment 
> <https://github.com/ryancdickson/staging/pull/8/files#r1368708684>. I 
> also made some edits 
> <https://github.com/ryancdickson/staging/commit/d40f1614978f74fd84a198175640bd2f4008106b> 
> to the proposed language in hopes of making this more clear.
>
> Does this address your concern? If not, suggested edits directly on 
> GitHub are welcome.
>
>
>
>     2) The current proposed language has it that Remote Network
>     Perspectives must be "distinct from the Primary Network
>     Perspective" (meaning they must be at least 500km away from it),
>     but it doesn't say that they must also be "distinct" from each
>     other! Although this is intuitable, IMO it would be better to clarify.
>
>
> Added in this update 
> <https://github.com/ryancdickson/staging/commit/fa0bb58b405a3745874e757f072789f369087c60>. 
> Does this address your concern? If not, suggested edits directly on 
> GitHub are welcome.
>
>
>
> If I can make anything more clear, please let me know.
>
>
> Thanks again for your review and comments,
>
> Ryan
>
>
>
> On Mon, Oct 23, 2023 at 4:58 AM Adriano Santoni via Validation 
> <validation at cabforum.org> wrote:
>
>     All,
>
>     I have a couple doubts after reading [1]:
>
>     1) I cannot seem to find an explicit requirement that a CA uses at
>     least two (2) Remote Network Perspectives. That can be inferred
>     from the Quorum Requirements table in 3.2.2.9, sure, but it would
>     probably be better (IMO) if it was explicit.
>
>     2) The current proposed language has it that Remote Network
>     Perspectives must be "distinct from the Primary Network
>     Perspective" (meaning they must be at least 500km away from it),
>     but it doesn't say that they must also be "distinct" from each
>     other! Although this is intuitable, IMO it would be better to clarify.
>
>     [1]
>     https://github.com/ryancdickson/staging/blob/require-mpdv-v2/docs/BR.md#3229-multi-perspective-issuance-corroboration
>
>     Adriano
>
>
>     _______________________________________________
>     Validation mailing list
>     Validation at cabforum.org
>     https://lists.cabforum.org/mailman/listinfo/validation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20231024/4ebb8acb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20231024/4ebb8acb/attachment-0001.p7s>

More information about the Validation mailing list