[cabfpub] Revocation ballot v2

Tim Hollebeek THollebeek at trustwave.com
Thu Aug 24 13:45:14 UTC 2017 

I think it’s probably cleaner to put a requirement for an email address for problem reports in 1.5.2 where it can have a SHALL.  For some CAs it’s going to be the same address as the one that’s already required there.

Implied requirements through carefully written definitions are easy to miss.

-Tim

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Adriano Santoni via Public
Sent: Thursday, August 24, 2017 2:13 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Revocation ballot v2


OK. then I agree.

Il 24/08/2017 07:44, Jeremy Rowley ha scritto:
Under this change, email is not the only way to manage Certificate Problem Reports. The change requires CAs to support at least email, but the CA may support any other methods they want to manage.  Regardless of potential spam, requiring CAs to manage one mailing list doesn’t seem unreasonable considering how difficult/annoying other methods are.

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Adriano Santoni via Public
Sent: Wednesday, August 23, 2017 11:40 PM
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] Revocation ballot v2

The problem I see with mandating an email address as the only way to report a problem to the CA is that mailboxes are subject to spamming. Our certificate problem reporting mailbox is being targeted to spam more and more, lately, and it is not always easy and quick to tell apart real problem reports and spam.
Il 24/08/2017 02:45, Gervase Markham via Public ha scritto:

On 23/08/17 17:39, Jeremy Rowley via Public wrote:

“Certificate Problem Report: A complaint of suspected Key Compromise,

Certificate misuse, or other types of fraud, compromise, misuse, or

inappropriate conduct related to Certificates that is sent to an email

address publicly specified in the CA’s repository. “



I think that if we want to mandate that the CA's Problem Reporting

Mechanisms include at minimum an email address, we should say that in

the relevant section, rather than slip it in here.



I would be in support of such a change. :-) We are considering it for

Mozilla policy. People currently find it too difficult to send reports

to multiple CAs, having to cope with lots of different mechanisms.



Gerv

_______________________________________________

Public mailing list

Public at cabforum.org<mailto:Public at cabforum.org>

https://cabforum.org/mailman/listinfo/public<https://scanmail.trustwave.com/?c=4062&d=ne6e2Tm40TveA1JmOQYRaAomMM1rSPVAB19MCH3j3w&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpublic>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170824/e4fdf908/attachment-0003.html>

More information about the Public mailing list