[Cscwg-public] Proposal to make changes to revocation based on malware

Martijn Katerbarg martijn.katerbarg at sectigo.com
Wed Jun 29 07:37:08 UTC 2022


Hi Tomas,

 

> There is no language to not revoke the certificate if it was found to be a false positive? 

 

Correct. The existing language didn’t contain this either, however the proposed language does add a bit more clarity (emphasis mine): “For all incidents that lead the CA to believe that the certificate private key is compromised or is being used for Suspect Code”

This allows the CA to conclude something is a false positive, and thus would not need to revoke.

 

> What is the reason to not contact the subscriber? 

 

The scenario I can see is if the CA becomes aware of a threat actor and does not want to tip them off regarding the upcoming revocation, or if a CA Certificate Beneficiary reaches out to the CA to request revocation. Granted, that last item would probably fall under section “Revocation Based on an Application Software Supplier’s Request”, but that doesn’t exclude the fact that section  “Revocation Based on Reported or Detected Key Compromise or Use in Suspect Code” may also need to be followed.

 

Regards,

Martijn

 

 

From: Tomas Gustavsson <Tomas.Gustavsson at keyfactor.com> 
Sent: Tuesday, 28 June 2022 21:01
To: Martijn Katerbarg <martijn.katerbarg at sectigo.com>; cscwg-public at cabforum.org
Subject: Re: [Cscwg-public] Proposal to make changes to revocation based on malware

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

I missed the F2F, so just curious. 

There is no language to not revoke the certificate if it was found to be a false positive? 

What is the reason to not contact the subscriber? 

 

Regards, 

Tomas 

 

 

  _____  

From: Cscwg-public <cscwg-public-bounces at cabforum.org <mailto:cscwg-public-bounces at cabforum.org> > on behalf of Martijn Katerbarg via Cscwg-public <cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org> >
Sent: Monday, 27 June 2022, 16:04
To: cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org>  <cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org> >
Subject: [Cscwg-public] Proposal to make changes to revocation based on malware

 

CAUTION: External Sender - Be cautious when clicking links or opening attachments. Please email InfoSec at keyfactor.com <mailto:InfoSec at keyfactor.com>  with any questions.

 

All,

 

As already hinted during the last meeting during the F2F, Ian and I, have been working on a proposal affecting the guidelines regarding malware based revocation.

 

The intent of this change is to:

*	Limit the number of days before a certificate needs to be revoked, especially when the subscriber is not responding to inquiries
*	Remove the OCSP log analysis requirements
*	Simplify the process that has to be followed

 

I have attached 3 documents: one with the current language, one with the proposed language, as well as a redlined version.

 

The changes have been made based on upcoming version 3.0 of the CSCBRs. In case you wish to compare with version 2.8, the relevant section is 13.1.5.3. Besides to that section, there is also a change to the “Suspect Code” definition, as well as a new definition in the proposal.

Once PR6 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F6&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C8a755fea2eb34242ff1708da59387cd2%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637920396957506961%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=Gl20CtakpivVtC%2BOrcx58TEJIq%2FRAeuVjMHX8Bzi2PM%3D&reserved=0>  has been merged, I will also prepare the changes in GIT for those that prefer comparing there.

 

Looking forward to comments to this and move towards a potential ballot.

Regards,

Martijn

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220629/fcdc99d6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6827 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220629/fcdc99d6/attachment-0001.p7s>


More information about the Cscwg-public mailing list