[cabfpub] Revocation ballot v2

Jeremy Rowley jeremy.rowley at digicert.com
Thu Aug 24 09:06:17 MST 2017 

I added the requirement to 4.9.3. That way all of the certificate problem reporting requirements are contained in a single section.

 

From: Tim Hollebeek [mailto:THollebeek at trustwave.com] 
Sent: Thursday, August 24, 2017 7:45 AM
To: Adriano Santoni <adriano.santoni at staff.aruba.it>; CA/Browser Forum Public Discussion List <public at cabforum.org>; Jeremy Rowley <jeremy.rowley at digicert.com>
Subject: RE: [cabfpub] Revocation ballot v2

 

I think it’s probably cleaner to put a requirement for an email address for problem reports in 1.5.2 where it can have a SHALL.  For some CAs it’s going to be the same address as the one that’s already required there.

 

Implied requirements through carefully written definitions are easy to miss.

 

-Tim

 

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Adriano Santoni via Public
Sent: Thursday, August 24, 2017 2:13 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> >; CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org> >
Subject: Re: [cabfpub] Revocation ballot v2

 

OK. then I agree.

 

Il 24/08/2017 07:44, Jeremy Rowley ha scritto:

Under this change, email is not the only way to manage Certificate Problem Reports. The change requires CAs to support at least email, but the CA may support any other methods they want to manage.  Regardless of potential spam, requiring CAs to manage one mailing list doesn’t seem unreasonable considering how difficult/annoying other methods are.    

 

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Adriano Santoni via Public
Sent: Wednesday, August 23, 2017 11:40 PM
To: public at cabforum.org <mailto:public at cabforum.org> 
Subject: Re: [cabfpub] Revocation ballot v2

 

The problem I see with mandating an email address as the only way to report a problem to the CA is that mailboxes are subject to spamming. Our certificate problem reporting mailbox is being targeted to spam more and more, lately, and it is not always easy and quick to tell apart real problem reports and spam.

Il 24/08/2017 02:45, Gervase Markham via Public ha scritto:

On 23/08/17 17:39, Jeremy Rowley via Public wrote:

“Certificate Problem Report: A complaint of suspected Key Compromise,
Certificate misuse, or other types of fraud, compromise, misuse, or
inappropriate conduct related to Certificates that is sent to an email
address publicly specified in the CA’s repository. “

 
I think that if we want to mandate that the CA's Problem Reporting
Mechanisms include at minimum an email address, we should say that in
the relevant section, rather than slip it in here.
 
I would be in support of such a change. :-) We are considering it for
Mozilla policy. People currently find it too difficult to send reports
to multiple CAs, having to cope with lots of different mechanisms.
 
Gerv
_______________________________________________
Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 
https://cabforum.org/mailman/listinfo/public <https://scanmail.trustwave.com/?c=4062&d=ne6e2Tm40TveA1JmOQYRaAomMM1rSPVAB19MCH3j3w&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpublic> 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170824/ab31d799/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170824/ab31d799/attachment-0001.p7s>

More information about the Public mailing list