[cabfpub] Revocation ballot v2
Jeremy Rowley
jeremy.rowley at digicert.com
Mon Aug 28 12:38:06 MST 2017
Not hearing from any other CAs, should we state that the CA must make an
initial determination and report within 24 hours and a final report in
accordance with the other timeline?
From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Thursday, August 24, 2017 9:18 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com>; CA/Browser Forum Public
Discussion List <public at cabforum.org>
Cc: Gervase Markham <gerv at mozilla.org>
Subject: Re: [cabfpub] Revocation ballot v2
On Wed, Aug 23, 2017 at 11:32 PM, Jeremy Rowley via Public
<public at cabforum.org <mailto:public at cabforum.org> > wrote:
Okay - attached.
a) I added the requirement to maintain an email address for addressing
certificate problem reports to 4.9.3
b) I added a 24 hour rule for when the original certificate request was not
authorized.
Jeremy,
I'm wondering if you could speak more to what sort of challenges CAs face in
making a determination within 24 hours, versus seven days.
For example, consider a report of a CP/CPS non-compliance - which is something
entirely under the CA's control - particularly for something like a profile
violation (e.g. extensions when they said they wouldn't have them, missing
subject naming fields, wrong policies, etc). Why wouldn't a CA be able to make
a determination about compliance within 24 hours? One downside is I could see
the added time for investigation adding an incentive to delay investigating
(in order to delay revocation), rather than purely granting the flexibility
necessary for complex situations.
I think if you (or others) could share a bit more about the challenges of
investigating reports, since I think, ideally, we'd want all reports to be
taken with the same gravity and attentiveness as a potential security issue. I
ask this, because I'm wondering whether it makes sense to set the standard of
the _final_ report at 24 hours, but then allow CAs to take up to 7 days
(except for the types of reports you noted) as an exception, and with an added
requirement to disclose why they made use of the additional time.
That is, let's say someone gets report of a CP/CPS violation, and the CA
determines that the current BR language is unclear, and they need additional
time to consult with their auditors and/or the broader community. That seems a
perfectly reasonable reason to take up to the 7 days - to make sure the
violation is certain - but it also means we may not know of the potential
confusion in the language, or the auditors' conclusions, as a community. If we
have those types of situations disclosed (through, say, a public mail posting
explaining why the >24 hour investigation took place, and what the challenges
were), we can, as a community, better address those situations and work on
improvements.
I'm wondering if that might address your concern about "two weeks", while also
help the community better understand the challenges so we can work to improve
them (in the case they're ambiguities) or collaboratively share best practices
(in the case of other factors)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170828/d3a00b44/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170828/d3a00b44/attachment.p7s>
More information about the Public
mailing list