[cabfpub] Revocation ballot v2

Ryan Sleevi sleevi at google.com
Wed Aug 23 20:26:17 UTC 2017


On Wed, Aug 23, 2017 at 3:42 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:

> Looking at it another way, the timelines are:
>
>
>
> 24 hours if the Subscriber requests the cert (no certificate problem
> report)
>
> 48 hours if there is a key compromise (24 hour investigation + 24 hour to
> revoke)
>
> 8 days if the cert was issued to the wrong domain name or organization (7
> day investigation + 24 hours to revoke) *
>
> 14 days for all other reasons
>
>
>
> * My heartburn over how long this is to take care of.  8 days is a long
> time where domain validation failed.
>
>
>
> I think the requirement to reply to the certificate problem report is
> built in by requiring the CA to work with the entity making the report. I
> don’t have a good idea on how to improve the escalation path.
>

OK, good, then I wasn't misreading the proposal, and I think the broad
strokes of that are a good balance between the community need and a
reasonable amount of flexibility for CAs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170823/420a0797/attachment-0003.html>


More information about the Public mailing list