<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Yeah – pretty much, except the part about the CAB Forum. If emailing the CAB Forum is required, I think the CA MUST provide a link to the entity submitting the Certificate Problem Report with the discussion.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Any additional comments before I finalize and ask for endoresers? <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><a name="_MailEndCompose"><o:p> </o:p></a></p><span style='mso-bookmark:_MailEndCompose'></span><p class=MsoNormal><b>From:</b> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Tuesday, August 29, 2017 3:18 PM<br><b>To:</b> Jeremy Rowley <jeremy.rowley@digicert.com><br><b>Cc:</b> CA/Browser Forum Public Discussion List <public@cabforum.org>; Gervase Markham <gerv@mozilla.org><br><b>Subject:</b> Re: [cabfpub] Revocation ballot v2<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>I'm not sure if you were trying to say the same thing or propose a different thing :)<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>That is, I was suggesting the normal flow be:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The CA MUST make a final determination and respond to a Problem Report within 24 hours, unless all of the following conditions are satisfied:<o:p></o:p></p></div><div><p class=MsoNormal> - The Report does not indicate that the private key was compromised or publicly disclosed<o:p></o:p></p></div><div><p class=MsoNormal> - The Report was not provided by the Subscriber<o:p></o:p></p></div><div><p class=MsoNormal> - The CA makes a final determination and response available within 7 days of receipt of the Problem Report<o:p></o:p></p></div><div><p class=MsoNormal> - The CA notifies the CA/Browser Forum via the <a href="mailto:questions@cabforum.org">questions@cabforum.org</a> (as it's the only list that doesn't implicitly impose a membership requirement; although we can certainly explore other ways) of the Problem Report and why more than 24 hours was needed to investigate within 7 days of receipt of the Problem Report<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The CA MUST revoke the certificate within 24 hours if:<o:p></o:p></p></div><div><p class=MsoNormal> - The subscriber requests ...<o:p></o:p></p></div><div><p class=MsoNormal> - The subscriber notifies ...<o:p></o:p></p></div><div><p class=MsoNormal> - The CA obtains evidence that the Private Key ...<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The CA SHOULD revoke the certificate within 24 hours and MUST revoke the certificate within 7 days if:<o:p></o:p></p></div><div><p class=MsoNormal> - ...<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Is that aligned with what you were saying? (I probably structured it poorly, but there's the handwavy approach)<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Mon, Aug 28, 2017 at 3:38 PM, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Not hearing from any other CAs, should we state that the CA must make an initial determination and report within 24 hours and a final report in accordance with the other timeline? <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a name="m_2423779046301716591__MailEndCompose"> </a><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From:</b> Ryan Sleevi [mailto:<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>] <br><b>Sent:</b> Thursday, August 24, 2017 9:18 AM<br><b>To:</b> Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>>; CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br><b>Cc:</b> Gervase Markham <<a href="mailto:gerv@mozilla.org" target="_blank">gerv@mozilla.org</a>><br><b>Subject:</b> Re: [cabfpub] Revocation ballot v2<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Wed, Aug 23, 2017 at 11:32 PM, Jeremy Rowley via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<o:p></o:p></p><div><div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Okay - attached.<br><br>a) I added the requirement to maintain an email address for addressing certificate problem reports to 4.9.3<br>b) I added a 24 hour rule for when the original certificate request was not authorized.<o:p></o:p></p></blockquote><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Jeremy,<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I'm wondering if you could speak more to what sort of challenges CAs face in making a determination within 24 hours, versus seven days. <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>For example, consider a report of a CP/CPS non-compliance - which is something entirely under the CA's control - particularly for something like a profile violation (e.g. extensions when they said they wouldn't have them, missing subject naming fields, wrong policies, etc). Why wouldn't a CA be able to make a determination about compliance within 24 hours? One downside is I could see the added time for investigation adding an incentive to delay investigating (in order to delay revocation), rather than purely granting the flexibility necessary for complex situations.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I think if you (or others) could share a bit more about the challenges of investigating reports, since I think, ideally, we'd want all reports to be taken with the same gravity and attentiveness as a potential security issue. I ask this, because I'm wondering whether it makes sense to set the standard of the _final_ report at 24 hours, but then allow CAs to take up to 7 days (except for the types of reports you noted) as an exception, and with an added requirement to disclose why they made use of the additional time.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>That is, let's say someone gets report of a CP/CPS violation, and the CA determines that the current BR language is unclear, and they need additional time to consult with their auditors and/or the broader community. That seems a perfectly reasonable reason to take up to the 7 days - to make sure the violation is certain - but it also means we may not know of the potential confusion in the language, or the auditors' conclusions, as a community. If we have those types of situations disclosed (through, say, a public mail posting explaining why the >24 hour investigation took place, and what the challenges were), we can, as a community, better address those situations and work on improvements.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I'm wondering if that might address your concern about "two weeks", while also help the community better understand the challenges so we can work to improve them (in the case they're ambiguities) or collaboratively share best practices (in the case of other factors)<o:p></o:p></p></div></div></div></div></div></div></div></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>