[cabfpub] Revocation ballot v2

Jeremy Rowley jeremy.rowley at digicert.com
Wed Aug 23 12:25:58 MST 2017


Hmm  - that does seem long.  What if we keep the investigation to 24 hours and change revocation to 24 hours/2 weeks? There’s no reason for the CA to delay investigating any issue.

 

For transparency, what do you suggest?  I left it the same as today. Perhaps state that the CA MUST reply to the certificate problem reporter about its decision within 3 days?  

 

From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Wednesday, August 23, 2017 1:10 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Revocation ballot v2

 

To make sure I'm summarizing the meaningful change:

- 7 days upon when a CA itself decides a violation (e.g. CA failing to follow its CP/CPS or the Baseline Requirements)

- 14 days (up to 7 days for investigation/confirmation) for an external report of a CA violating its CP/CPS

  - 7 days for investigation & FINAL report

  - While still requiring that CAs MUST NOT exceed 7 days from that determination to revoke

 

And not requiring any transparency for reports the CA determines are 'not valid', right? Meaning any problem reporter who feels the CA's response is inadequate must, as they do today, escalate to Application Software Suppliers.

 

Did I properly summarize? I want to make sure I parse it right (the "MUST not" was subtle, for example, in part due to non-2119 capitalization), particularly that the CA must still revoke within a total of 14 days for externally-reported-and-confirmed issues.

 

On Wed, Aug 23, 2017 at 2:56 PM, Jeremy Rowley via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:

Attached is a revised version of the revocation ballot. This leaves the revocation deadline at 24 hours for key compromise, but gives CAs a week to respond to other issues. Pretty sure I don’t need to preface where this proposal is coming from.

 

Thoughts?

Jeremy


_______________________________________________
Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 
https://cabforum.org/mailman/listinfo/public

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170823/472ca195/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170823/472ca195/attachment.p7s>


More information about the Public mailing list