[cabfpub] Revocation revamp

[Jeremy Rowley]

Hi everyone,

I think the Baseline Requirements need improvements on how CAs are required to handle certificate revocations, especially if the certificate issue is reported by security researchers. There needs to be a distinction between private keys exposed through an attack and where private keys are made vulnerable through an exploit (such as heartbleed).

For incidents where the vulnerability has not been made public or where there is an exploit affecting the general user base, there should be a longer time period for revocation than 24 hours. For private keys being malicious misused, we should still have the 24 hour window.

The length of time we permit for revocation should be strict enough to prevent abuse but flexible enough to permit investigation and patching in a timely manner. Plus, a less strict revocation deadline would encourage CA participation in the remediation efforts and reduce the panic created by a high-profile vulnerability. Right now, the 24 hour requirement is actually an incentive to exclude CAs from the remediation process as not giving CAs notice provides more time to remediate.

One idea to make the revocation period flexible, something like requiring the CA to provide notice that the certificate will be revoked because of the reasons specified in Section 13.1.5 and then requiring revocation within one week after the announcement of an industry vulnerability and within 72 hours after public disclosure of the vulnerability is made.  This gives CAs time to participate in the discussions and ensures we still have a short revocation window for publicly disclosed threats.  Another idea is to simply expand the time by up to two weeks if the revocation is part of on-going investigation into an issue or a planned patch process.

Thoughts?

Jeremy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150319/ec44b627/attachment-0002.html>