<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Hmm - that does seem long. What if we keep the investigation to 24 hours and change revocation to 24 hours/2 weeks? There’s no reason for the CA to delay investigating any issue.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>For transparency, what do you suggest? I left it the same as today. Perhaps state that the CA MUST reply to the certificate problem reporter about its decision within 3 days? <o:p></o:p></p><p class=MsoNormal><a name="_MailEndCompose"><o:p> </o:p></a></p><span style='mso-bookmark:_MailEndCompose'></span><p class=MsoNormal><b>From:</b> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Wednesday, August 23, 2017 1:10 PM<br><b>To:</b> Jeremy Rowley <jeremy.rowley@digicert.com>; CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Subject:</b> Re: [cabfpub] Revocation ballot v2<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>To make sure I'm summarizing the meaningful change:<o:p></o:p></p><div><p class=MsoNormal>- 7 days upon when a CA itself decides a violation (e.g. CA failing to follow its CP/CPS or the Baseline Requirements)<o:p></o:p></p></div><div><p class=MsoNormal>- 14 days (up to 7 days for investigation/confirmation) for an external report of a CA violating its CP/CPS<o:p></o:p></p></div><div><p class=MsoNormal> - 7 days for investigation & FINAL report<o:p></o:p></p></div><div><p class=MsoNormal> - While still requiring that CAs MUST NOT exceed 7 days from that determination to revoke<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>And not requiring any transparency for reports the CA determines are 'not valid', right? Meaning any problem reporter who feels the CA's response is inadequate must, as they do today, escalate to Application Software Suppliers.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Did I properly summarize? I want to make sure I parse it right (the "MUST not" was subtle, for example, in part due to non-2119 capitalization), particularly that the CA must still revoke within a total of 14 days for externally-reported-and-confirmed issues.<o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Wed, Aug 23, 2017 at 2:56 PM, Jeremy Rowley via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Attached is a revised version of the revocation ballot. This leaves the revocation deadline at 24 hours for key compromise, but gives CAs a week to respond to other issues. Pretty sure I don’t need to preface where this proposal is coming from.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thoughts?<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#888888'>Jeremy<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>