[cabfpub] Revocation ballot v2

[Jeremy Rowley]

Thanks Ryan!  

 

One more thing I think we should address in this ballot is when the time period starts.  The definition for certificate problem report is:

 

“Certificate Problem Report: Complaint of suspected Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, or inappropriate conduct related to Certificates. “

The CA is obligated, under Section 4.9.5, to start investigating within 24 hours of receipt.  Receipt is vague.  On the Mozilla list, I mentioned that we should require all CAs to have at least an email address where these are submitted.  What do you think about changing the Certificate Problem Report to:

 

“Certificate Problem Report: A complaint of suspected Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, or inappropriate conduct related to Certificates that is sent to an email address publicly specified in the CA’s repository. “

 

 

 

From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Wednesday, August 23, 2017 2:26 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Revocation ballot v2

 

 

 

On Wed, Aug 23, 2017 at 3:42 PM, Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> > wrote:

Looking at it another way, the timelines are:

 

24 hours if the Subscriber requests the cert (no certificate problem report)

48 hours if there is a key compromise (24 hour investigation + 24 hour to revoke)

8 days if the cert was issued to the wrong domain name or organization (7 day investigation + 24 hours to revoke) *

14 days for all other reasons

 

* My heartburn over how long this is to take care of.  8 days is a long time where domain validation failed.

 

I think the requirement to reply to the certificate problem report is built in by requiring the CA to work with the entity making the report. I don’t have a good idea on how to improve the escalation path.

 

OK, good, then I wasn't misreading the proposal, and I think the broad strokes of that are a good balance between the community need and a reasonable amount of flexibility for CAs.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170824/2e4a4cde/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170824/2e4a4cde/attachment-0003.p7s>