Generalization of CPS to avoid misissuance

[Michel Le Bihan]

As I stated in https://bugzilla.mozilla.org/show_bug.cgi?id=1715455#c4 and https://bugzilla.mozilla.org/show_bug.cgi?id=1715455#c11:

>> Note that CPS v3.3 was released on June 8, 2021, and changed Section 7.1 to match Section 6.3.2 in stating that end-entity certificates will have a lifetime of less than 100 days

> As was previously stated in https://bugzilla.mozilla.org/show_bug.cgi?id=1708965#c3 by Jesper Kristensen

>> The reason I want to read it is that while the BRs are very precise about what 398 days means, should we assume the same level of precision in all CPSes? I think doing so would encourage all CAs to be as vague as possible in their CPS, if a small typo in there will be treated as misissuance.

> I think that the desired outcome and solution to such issues should not be generalizing the CPS and making it as vague as possible to prevent compliance issues.

> I think that if it's not practical to guarantee a precision of 1s, then it should be OK for CAs to state that certificates will be valid for x +- y. Now CAs can just change their CPS to state that certificates will be valid for no longer that the value in the BR just to be safe, but I think that it's not the desired outcome.

Both KIR and LE changed their CPS to be less precise. I think that it might start a trend of generalizing CPS and that wouldn't be a desired outcome or practice.

If a CA wasn't able to guarantee what they stated in their CPS, should they just remove that from it?

[Ryan Sleevi]

On Thu, Jun 10, 2021 at 5:03 AM Michel Le Bihan <michel.le...@gmail.com> wrote:

Both KIR and LE changed their CPS to be less precise. I think that it might start a trend of generalizing CPS and that wouldn't be a desired outcome or practice.

Do you have any suggested solutions to this, that are both objective (i.e. explicitly not relying on “we” the community deciding it’s not important in case X but is in case Y) and ensures that a CA actually privately does what they publicly state they do?

That’s not to say I disagree with the concern, but the goal and purpose of a CPS has always been to have the CA publicly state what they do, and the relying parties that accept that CPS deciding that the CPS (including its level of detail) is acceptable.

If a CA wasn't able to guarantee what they stated in their CPS, should they just remove that from it?

I’m unclear. Are you asking whether omissions should be a more desirable outcome than generalizations?

The answer is “No”, but I suspect I’ve either misunderstood your question, or it was a rhetorical device and I missed the concept you were trying to convey.