[cabfpub] Revocation revamp

Doug Beattie doug.beattie at globalsign.com
Wed Mar 25 21:18:15 UTC 2015


Ben,

Did you check their CPSs?  I know that we specify a contact email in our CPS, sections 1.5 and 9.11.

Doug

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Laurie
Sent: Wednesday, March 25, 2015 9:12 AM
To: Jeremy Rowley
Cc: public at cabforum.org
Subject: Re: [cabfpub] Revocation revamp

On the subject of revocation, I was wondering how one would go about revoking a mis-issued cert detected through CT. I picked a couple of random CAs and tried to find out how I might report that they'd mis-issued a cert for my site. I completely failed.

Do the BRs say anything about this?

On 19 March 2015 at 14:20, Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>> wrote:
Hi everyone,

I think the Baseline Requirements need improvements on how CAs are required to handle certificate revocations, especially if the certificate issue is reported by security researchers. There needs to be a distinction between private keys exposed through an attack and where private keys are made vulnerable through an exploit (such as heartbleed).

For incidents where the vulnerability has not been made public or where there is an exploit affecting the general user base, there should be a longer time period for revocation than 24 hours. For private keys being malicious misused, we should still have the 24 hour window.

The length of time we permit for revocation should be strict enough to prevent abuse but flexible enough to permit investigation and patching in a timely manner. Plus, a less strict revocation deadline would encourage CA participation in the remediation efforts and reduce the panic created by a high-profile vulnerability. Right now, the 24 hour requirement is actually an incentive to exclude CAs from the remediation process as not giving CAs notice provides more time to remediate.

One idea to make the revocation period flexible, something like requiring the CA to provide notice that the certificate will be revoked because of the reasons specified in Section 13.1.5 and then requiring revocation within one week after the announcement of an industry vulnerability and within 72 hours after public disclosure of the vulnerability is made.  This gives CAs time to participate in the discussions and ensures we still have a short revocation window for publicly disclosed threats.  Another idea is to simply expand the time by up to two weeks if the revocation is part of on-going investigation into an issue or a planned patch process.

Thoughts?

Jeremy


_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150325/714005ff/attachment-0003.html>


More information about the Public mailing list