<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.gmail-
{mso-style-name:gmail-;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1186140421;
mso-list-type:hybrid;
mso-list-template-ids:298121858 678082684 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:24;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>A 24 hour report to the CAB Forum doesn’t make sense if the length of the investigation is not tied to the understanding/interpretation of the CAB Forum requirement. For example, if someone alleges a company changed addresses, revocation may be required under “information appearing in the Certificate is inaccurate or misleading”. Information in the QIIS might not be updated, the contact person may be on vacation, etc. This isn’t a CAB Forum issue so there’s no reason to report that it’s taking longer than 24 hours to complete the certificate problem report. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>What should be required, imo, is a report to the entity submitting the certificate problem report about why it’s taken longer than the required 24 hours. For investigation, what if we did:<o:p></o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'>24 hours required for the initial report<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'>24 hours for the final report if the problem alleges X, Y, or Z<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'>7 days for the final report for all other reasons.<o:p></o:p></li></ul><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Anything taking longer than 24 hours because of an issue with the CAB Forum requirements, must be reported to the CAB Forum.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Then revocation stays at:<o:p></o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'>24 hours required for X, Y, and Z<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'>24 hours SHOULD for all other reasons<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'>7 days required for all other reasons<o:p></o:p></li></ul><p class=MsoNormal><a name="_MailEndCompose"><o:p> </o:p></a></p><p class=MsoNormal><span style='mso-bookmark:_MailEndCompose'>Will this work? <o:p></o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_MailEndCompose'><o:p> </o:p></span></p><span style='mso-bookmark:_MailEndCompose'></span><p class=MsoNormal><b>From:</b> Public [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Ryan Sleevi via Public<br><b>Sent:</b> Monday, September 4, 2017 8:14 AM<br><b>To:</b> Gervase Markham <gerv@mozilla.org><br><b>Cc:</b> CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Subject:</b> Re: [cabfpub] Ballot 213 - Revocation Timeline Extension<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Mon, Sep 4, 2017 at 5:27 AM, Gervase Markham <<a href="mailto:gerv@mozilla.org" target="_blank">gerv@mozilla.org</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal><span class=gmail->On 01/09/17 18:58, Ryan Sleevi wrote:</span><br><span class=gmail->> It's primarily about ensuring transparency in a way that's consistent -</span><br><span class=gmail->> and the Forum is relevant because it feeds into our determination about</span><br><span class=gmail->> ways to clarify text, while also providing a useful reference for</span><br><span class=gmail->> auditors and CAs regarding root stores' interpretations (and ensuring</span><br><span class=gmail->> there's no misalignment). I suggested questions@, because it's our only</span><br><span class=gmail->> list that doesn't require any form of agreement or participation in the</span><br><span class=gmail->> Forum at large - thus ensuring it's appropriate for all members. </span><br><br>(This is not the first time we've encountered that issue; do we need a<br>better-named "<a href="mailto:notifications@cabforum.org">notifications@cabforum.org</a>" email list?)<br><br>I see what you are trying to do; perhaps it's the phrasing which is<br>bugging me. Does this wording do the same thing that you are aiming for,<br>or has it changed the meaning?<br><br>"If any interpretation of these Requirements means that a CA believes it<br>may permit, and does permit, more than seven days to elapse between<br>receiving a Certificate Problem Report and providing a final<br>determination, the CA SHALL notify the CA/Browser Forum of their<br>interpretation by emailing <a href="mailto:questions@cabforum.org">questions@cabforum.org</a>."<o:p></o:p></p></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks for highlighting this. I actually think Jeremy and I may have crossed wires. My intent was to set the following limits for determination:<o:p></o:p></p></div><div><p class=MsoNormal>- 24 hours under situations X, Y, Z<o:p></o:p></p></div><div><p class=MsoNormal>- 24 hours SHOULD for everything else<o:p></o:p></p></div><div><p class=MsoNormal>- 7 days MUST for everything else<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>With a "Anything > 24 hours requires a report"<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>That covers assessment<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>And then the actual revocation works as<o:p></o:p></p></div><div><p class=MsoNormal>- 24 hours under situations X, Y, Z<o:p></o:p></p></div><div><p class=MsoNormal>- 7 days MUST for everything else<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>With no report as to the timing of that revocation.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal>But again, while I see what you are trying to do, how to we avoid the<br>BRs filling up with text like:<br><br>A) Do X.<br>B) If any CA feels these Requirements can be interpreted to mean that<br>they don't have to do X, they should email <a href="mailto:questions@cabforum.org">questions@cabforum.org</a>.<br>C) Do Y.<br>D) If any CA feels these Requirements can be interpreted to mean that<br>they don't have to do X, they should email <a href="mailto:questions@cabforum.org">questions@cabforum.org</a>.<br>...<br><br>Why is there a unique need in this particular case for notification of<br>interpretive "creativity"?<o:p></o:p></p></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'm not sure I would go as far as to suggest it's interpretative "creativity" - I think we're discussing cases of ambiguity which may take time to resolve (e.g. the CA consulting with their auditors and/or the Forum), or for which systemic issues might exist. I think we're appreciative of the need to coordinate with subscribers and perhaps take additional steps (although it does mean that the effectiveness of revocation for is now 7d+7d+7d days rather than the current 24h+24h+7d), but I think we'd want to understand why any investigation _isn't_ cut and dry.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>For example, if an OCSP Responder is reported as responding GOOD to non-issued certificates, that should be something the CA can investigate and report on within 24 hours. If the CA can't, that's concerning.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>As to notification, I think any place we offer for purely CA discretion, we need transparency. So to the extent we allow for situations like "You should do X, unless you think you don't have to" - then I absolutely think a notification is appropriate. We have that true for Severability (and for good reason), and I think we would also want that for security incident reporting. Are there other places you think CAs should be left to subjectively evaluate rather than work on objective criteria?<o:p></o:p></p></div></div></div></div></div></body></html>