[cabfpub] Revocation revamp

Ben Laurie benl at google.com
Wed Mar 25 13:11:36 UTC 2015


On the subject of revocation, I was wondering how one would go about
revoking a mis-issued cert detected through CT. I picked a couple of random
CAs and tried to find out how I might report that they'd mis-issued a cert
for my site. I completely failed.

Do the BRs say anything about this?

On 19 March 2015 at 14:20, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:

>  Hi everyone,
>
>
>
> I think the Baseline Requirements need improvements on how CAs are
> required to handle certificate revocations, especially if the certificate
> issue is reported by security researchers. There needs to be a distinction
> between private keys exposed through an attack and where private keys are
> made vulnerable through an exploit (such as heartbleed).
>
>
>
> For incidents where the vulnerability has not been made public or where
> there is an exploit affecting the general user base, there should be a
> longer time period for revocation than 24 hours. For private keys being
> malicious misused, we should still have the 24 hour window.
>
>
>
> The length of time we permit for revocation should be strict enough to
> prevent abuse but flexible enough to permit investigation and patching in a
> timely manner. Plus, a less strict revocation deadline would encourage CA
> participation in the remediation efforts and reduce the panic created by a
> high-profile vulnerability. Right now, the 24 hour requirement is actually
> an incentive to exclude CAs from the remediation process as not giving CAs
> notice provides more time to remediate.
>
>
>
> One idea to make the revocation period flexible, something like requiring
> the CA to provide notice that the certificate will be revoked because of
> the reasons specified in Section 13.1.5 and then requiring revocation
> within one week after the announcement of an industry vulnerability and
> within 72 hours after public disclosure of the vulnerability is made.  This
> gives CAs time to participate in the discussions and ensures we still have
> a short revocation window for publicly disclosed threats.  Another idea is
> to simply expand the time by up to two weeks if the revocation is part of
> on-going investigation into an issue or a planned patch process.
>
>
>
> Thoughts?
>
>
>
> Jeremy
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150325/e9450bdb/attachment-0003.html>


More information about the Public mailing list