Ballot SC-081 Input Requested

[Clint Wilson]

Hello all,

I’ve updated the PR (https://github.com/cabforum/servercert/pull/553/files) associated with SC-081 and have identified a few areas where I’d like some additional feedback on the approach:

Validity period steps

In section Section 6.3.2, I’ve currently set the “steps” in reducing the maximum validity period at 200, 100, and 47. The change from 45 to 47 was to better allow for CAs (and software integrations) to issue certificates with a validity period of 45 days while not skirting the maximum validity period, which allows for the semi-common practice of renewing certificates at 2/3rds of the cert’s lifetime to occur at 30 days. 47 days also better matches my intent in mirroring the past (evolving) pattern of maximum validity periods:

39 months = 3 years + 3 months

825 days = 2 years + 94/95 days

398 days = 1 leap year (366) + 1 31-day month + 1 day SHOULD vs MUST

200 days = Maximal 6 month period (184 days) + 1/2 30 day month (15 days) + 1 day SHOULD vs MUST

100 days = Maximal 3 month (92 days) + ~1/4 30 day month (7 days) + 1 day SHOULD vs MUST

47 days = Maximal 1 month (31 days) + 1/2 30 day month (15 days + 1 day SHOULD vs MUST

Question: Do these validity periods make sense as the correct steps? For example, for the 100 day step, I rounded 7.5 down to 7 instead of up to 8 and wanted to understand if folks would prefer 101 there instead or if the “neater” numbers are preferable

SHOULD dates

In Section both Section 4.2.1 and 6.3.2, I’ve only set dates for MUST requirements. Would folks like to also have a set of dates for SHOULD requirements, e.g. 6 months prior to the MUST dates, add the same thing but with a SHOULD?

I’m personally inclined towards adding these, but I wasn’t sure if that was a commonly held view.

Table headings

I intended the table headings to be descriptive, but not normative. I’m not sure I’ve hit the mark there and would like suggestions on how to label the tables so it’s clear that the contents are normative requirements, but the scope of applicability for that content is found in the preceding paragraph(s) rather than the table heading. 

Similarly, if the paragraphs themselves are not clear as to the tables’ scopes, that would be helpful to have feedback on.

The table headings are currently:

Table: Reference for maximum allowed Subject Validation Data Reuse Period

Table: Reference for maximum allowed Domain Name and IP Address Validation Data Reuse Period

Table: Reference for maximum Validity Periods of Subscriber Certificates

Validation Data Reuse Period

I capitalized “Validation Data Reuse Period” initially because I thought it might be helpful to define this term, similar to “Validity Period”, but I find myself questioning the relevance and value of doing so. Would folks prefer this to be a defined term (or some portion of it, such as “Validation Data” only)?

Thanks all,

-Clint

[Clint Wilson]

Hello,

I’ve updated SC-081in response to discussion and feedback received so far: https://github.com/cabforum/servercert/pull/553/files

In relation to the questions posed below, I remain open to feedback and the current state of the ballot is as follows:

Validity period steps

I believe these steps make sense as an incremental reduction following the pattern described below and don’t currently plan to modify these further.

SHOULD dates

Section 6.3.2 includes “SHOULD dates” in the text, but not the table. This seems sufficient to me and don’t currently plan to add “SHOULD dates” into the tables.

Table headings

I’ve updated the first table in Section 4.2.1 to use “Subject Identity Information” which I believe provides the needed clarity. Below are the current table headings and I don’t have plans to modify these further at this time:

Table: Subject Identity Information validation data reuse periods

Table: Domain Name and IP Address validation data reuse periods

Table: Reference for maximum Validity Periods of Subscriber Certificates

Validation Data Reuse Period

With the shift to using the defined term “Subject Identity Information”, I don’t believe defining “Validation Data” or “Validation Data Reuse Period” provides sufficient additional clarity to be worthwhile.

With these changes, I believe this ballot is ready to enter a Discussion Period. Sectigo and Google Chrome have endorsed so far, but if any other Member would like to add their endorsement, it would be most welcome.

I’ll give this a few days, but then plan to initiate an extended Discussion Period into the new year, after which (hopefully) we can move forward to a Voting Period. Please let me know if you have any additional feedback!

Thank you,

-Clint

--
You received this message because you are subscribed to the Google Groups "Validation Subcommittee (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to validation+...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/validation/A886C0FC-C5B8-44CD-8412-D62C066A2023%40apple.com.