[cabfpub] Revocation ballot v2

Ryan Sleevi sleevi at google.com
Tue Aug 29 14:18:16 MST 2017 

I'm not sure if you were trying to say the same thing or propose a
different thing :)

That is, I was suggesting the normal flow be:

The CA MUST make a final determination and respond to a Problem Report
within 24 hours, unless all of the following conditions are satisfied:
  - The Report does not indicate that the private key was compromised or
publicly disclosed
  - The Report was not provided by the Subscriber
  - The CA makes a final determination and response available within 7 days
of receipt of the Problem Report
  - The CA notifies the CA/Browser Forum via the questions at cabforum.org (as
it's the only list that doesn't implicitly impose a membership requirement;
although we can certainly explore other ways) of the Problem Report and why
more than 24 hours was needed to investigate within 7 days of receipt of
the Problem Report

The CA MUST revoke the certificate within 24 hours if:
  - The subscriber requests ...
  - The subscriber notifies ...
  - The CA obtains evidence that the Private Key ...

The CA SHOULD revoke the certificate within 24 hours and MUST revoke the
certificate within 7 days if:
  - ...

Is that aligned with what you were saying? (I probably structured it
poorly, but there's the handwavy approach)


On Mon, Aug 28, 2017 at 3:38 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:

> Not hearing from any other CAs, should we state that the CA must make an
> initial determination and report within 24 hours and a final report in
> accordance with the other timeline?
>
>
>
> *From:* Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Thursday, August 24, 2017 9:18 AM
> *To:* Jeremy Rowley <jeremy.rowley at digicert.com>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> *Cc:* Gervase Markham <gerv at mozilla.org>
> *Subject:* Re: [cabfpub] Revocation ballot v2
>
>
>
>
>
>
>
> On Wed, Aug 23, 2017 at 11:32 PM, Jeremy Rowley via Public <
> public at cabforum.org> wrote:
>
> Okay - attached.
>
> a) I added the requirement to maintain an email address for addressing
> certificate problem reports to 4.9.3
> b) I added a 24 hour rule for when the original certificate request was
> not authorized.
>
>
>
> Jeremy,
>
>
>
> I'm wondering if you could speak more to what sort of challenges CAs face
> in making a determination within 24 hours, versus seven days.
>
>
>
> For example, consider a report of a CP/CPS non-compliance - which is
> something entirely under the CA's control - particularly for something like
> a profile violation (e.g. extensions when they said they wouldn't have
> them, missing subject naming fields, wrong policies, etc). Why wouldn't a
> CA be able to make a determination about compliance within 24 hours? One
> downside is I could see the added time for investigation adding an
> incentive to delay investigating (in order to delay revocation), rather
> than purely granting the flexibility necessary for complex situations.
>
>
>
> I think if you (or others) could share a bit more about the challenges of
> investigating reports, since I think, ideally, we'd want all reports to be
> taken with the same gravity and attentiveness as a potential security
> issue. I ask this, because I'm wondering whether it makes sense to set the
> standard of the _final_ report at 24 hours, but then allow CAs to take up
> to 7 days (except for the types of reports you noted) as an exception, and
> with an added requirement to disclose why they made use of the additional
> time.
>
>
>
> That is, let's say someone gets report of a CP/CPS violation, and the CA
> determines that the current BR language is unclear, and they need
> additional time to consult with their auditors and/or the broader
> community. That seems a perfectly reasonable reason to take up to the 7
> days - to make sure the violation is certain - but it also means we may not
> know of the potential confusion in the language, or the auditors'
> conclusions, as a community. If we have those types of situations disclosed
> (through, say, a public mail posting explaining why the >24 hour
> investigation took place, and what the challenges were), we can, as a
> community, better address those situations and work on improvements.
>
>
>
> I'm wondering if that might address your concern about "two weeks", while
> also help the community better understand the challenges so we can work to
> improve them (in the case they're ambiguities) or collaboratively share
> best practices (in the case of other factors)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170829/5ce58332/attachment.html>

More information about the Public mailing list