[cabfpub] Ballot 213 - Revocation Timeline Extension

Jeremy Rowley jeremy.rowley at digicert.com
Thu Aug 31 21:40:57 MST 2017 

A revised version is attached. Additional comments and/or endorsements are welcome! 

 

Ballot 213 – Revocation Timeline Extension

 

Purpose: This ballot extends the revocation requirements in certain circumstances from 24 hours to seven days. The following motion is proposed by Jeremy Rowley of DigiCert and endorsed by XXX and XXX:

 

--MOTION BEGINS—

 

A.	Amend Section 4.9.1.1 as follows

 

The CA –(SHALL)-- __MUST__ revoke a Certificate within 24 hours if:

 

1.   The Subscriber requests in writing that the CA revoke the Certificate;

2.               The Subscriber notifies the CA that the original certificate request was not authorized and does not retroactively grant authorization;

3.	The CA obtains evidence that the Subscriber’s Private Key corresponding to the Public Key in the Certificate suffered a Key Compromise –(or)--; 

 

__The CA SHOULD revoke the certificate within 24 hours and MUST revoke a Certificate within seven days__ if one or more of the following occurs:

 

__1.  The Certificate__ no longer complies with the requirements of Sections 6.1.5 and 6.1.6;

__2. __  --(4)--The CA obtains evidence that the Certificate was misused;

__3. __ --(5)--The CA is made aware that a Subscriber has violated one or more of its material obligations under the Subscriber Agreement or Terms of Use;

__4. __ --(6)--The CA is made aware of any circumstance indicating that use of a Fully-Qualified Domain Name or IP address in the Certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a Domain Name Registrant’s right to use the Domain Name, a relevant licensing or services agreement between the Domain Name Registrant and the Applicant has terminated, or the Domain Name Registrant has failed to renew the Domain Name);

__5. __ --(7)--The CA is made aware that a Wildcard Certificate has been used to authenticate a fraudulently misleading subordinate Fully-Qualified Domain Name;

__6. __ --(8)--The CA is made aware of a material change in the information contained in the Certificate;

__7. __  --(9)--The CA is made aware that the Certificate was not issued in accordance with these Requirements or the CA’s Certificate Policy or Certification Practice Statement;

__8. __ --(10)--The CA determines that any of the information appearing in the Certificate is inaccurate or misleading;

__9. __ --(11)--The CA ceases operations for any reason and has not made arrangements for another CA to provide revocation support for the Certificate;

__10. __ --(12)--The CA’s right to issue Certificates under these Requirements expires or is revoked or terminated, unless the CA has made arrangements to continue maintaining the CRL/OCSP Repository;

__11. __ --(13)--The CA is made aware of a possible compromise of the Private Key of the Subordinate CA used for issuing the Certificate;

__12. __ --(14)--Revocation is required by the CA’s Certificate Policy and/or Certification Practice Statement; or

__13. __ --(15)--The technical content or format of the Certificate presents an unacceptable risk to Application Software Suppliers or Relying Parties (e.g. the CA/Browser Forum might determine that a deprecated cryptographic/signature algorithm or key size presents an unacceptable risk and that such Certificates should be revoked and replaced by CAs within a given period of time).

 

B.	Amend Section 4.9.3 as follows:


The CA SHALL provide a process for Subscribers to request revocation of their own Certificates. The process MUST be described in the CA’s Certificate Policy or Certification Practice Statement. The CA SHALL maintain a continuous 24x7 ability to accept and respond to revocation requests and –(related inquiries)-- __Certificate Problem Reports__. 


The CA SHALL –(provide)-- __publicly disclose an email address through its online repository that __Subscribers, Relying Parties, Application Software Suppliers, and other third parties __may use to submit Certificate Problem Reports. The CA SHALL monitor this email address 24x7. A Certificate Problem Report is considered received by the CA when sent to the specified email address.__ ---(with clear instructions for reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, inappropriate conduct, or any other matter related to Certificates. The CA SHALL publicly disclose the instructions through a readily accessible online means.)—


C)   Amend Section 4.9.5 as follows:


4.9.5  Time within which CA Must Process the Revocation Request


__Within 24 hours after receiving a Certificate Problem Report, the CA SHALL investigate the facts and circumstances related to a Certificate Problem Report and provide a preliminary report on its findings to both the Subscriber and the entity who filed the Certificate Problem Report.  The CA SHALL provide a final determination on the Certificate Problem Report within the earliest of the following timelines:

 

a.	Within 24 hours after receiving notice that a Private Key was compromised or publicly disclosed,
b.	Within 24 hours after receiving notification that the Certificate requested was not authorized by the Subscriber and the Subscriber does not retroactively grant authorization, or
c.	Within seven business days after receiving a Certificate Problem Report alleging an issue other than key compromise.

 

If any ambiguity in these Requirements will result in a delay of more than seven days in providing a final determination of a Certificate Problem Report, the CA SHALL first notify the CA/Browser Forum of the ambiguity by emailing  <mailto:questions at cabforum.org> questions at cabforum.org. 

 

After reviewing the facts and circumstances, the CA SHALL work with any entity reporting the Certificate Problem Report or other revocation-related notice to establish a date when the CA will revoke the Certificate which MUST not exceed the time frame set forth in Section 4.9.1.1. The date selected by the CA SHOULD consider the following criteria:__

 

--(The CA SHALL begin investigation of a Certificate Problem Report within twenty-four hours of receipt, and decide whether revocation or other appropriate action is warranted based on at least the following criteria:)--

 

1.	The nature of the alleged problem (scope, context, severity, magnitude, risk of harm);
2.	The consequences of revocation (direct and collateral impacts to Subscribers and Relying Parties);

3. The number of Certificate Problem Reports received about a particular Certificate or Subscriber;

4. The entity making the complaint (for example, a complaint from a law enforcement official that a Web site is engaged in illegal activities should carry more weight than a complaint from a consumer alleging that she didn’t receive the goods she ordered); and

5. Relevant legislation.

 

--MOTION ENDS—

The procedure for approval of this Final Maintenance Guideline ballot is as follows:


BALLOT 213 Status: Final Maintenance Guideline

Start time (23:00 UTC)

End time (23:00 UTC)


Discussion (7 to 14 days)

4 Sep 2017

11 Sep 2017


Vote for approval (7 days)

11 Sep 2017

18 Sep  2017


If vote approves ballot: Review Period (Chair to send Review Notice) (30 days). If Exclusion Notice(s) filed, ballot approval is rescinded and PAG to be created. If no Exclusion Notices filed, ballot becomes effective at end of Review Period.

Upon filing of Review Notice by Chair

30 days after filing of Review Notice by Chair

>From Bylaw 2.3: If the Draft Guideline Ballot is proposing a Final Maintenance Guideline, such ballot will include a redline or comparison showing the set of changes from the Final Guideline section(s) intended to become a Final Maintenance Guideline, and need not include a copy of the full set of guidelines. Such redline or comparison shall be made against the Final Guideline section(s) as they exist at the time a ballot is proposed, and need not take into consideration other ballots that may be proposed subsequently, except as provided in Bylaw Section 2.3(j).

Votes must be cast by posting an on-list reply to this thread on the Public list. A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here:  <https://cabforum.org/members/> https://cabforum.org/members/ In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Quorum is shown on CA/Browser Forum wiki. Under Bylaw 2.2(g), at least the required quorum number must participate in the ballot for the ballot to be valid, either by voting in favor, voting against, or abstaining.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170901/0ccacff8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Revocation-Time-Revision-Ballot v3.doc
Type: application/msword
Size: 46592 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170901/0ccacff8/attachment-0001.doc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170901/0ccacff8/attachment-0001.p7s>

More information about the Public mailing list