[cabfpub] Revocation ballot

Ryan Sleevi sleevi at google.com
Thu Jul 13 12:36:50 MST 2017


Hi Jeremy,

I think you may have misunderstood. That is, I think that at any point
the CA determines any of the conditions on 4.9.1.1 or 4.9.1.2 are met,
they should remain obligated to revoke within 24 hours. That includes
the full list.

I think greater time for the investigation of a certificate problem
report - which allows for ascertaining whether or not 4.9.1.1 or
4.9.1.2 have been met - is reasonable, because as it stands, CAs are
obligated to err on the side of revocation (and assume 4.9.1.1/4.9.1.2
will be true) rather than not.

I don't think it's a positive step forward, however, to suggest that a
CA may opt to _not_ revoke, or to delay revocation beyond 24 hours,
once 4.9.1.1 or 4.9.1.2 are met. I'm particularly troubled, for
example, by the suggestion that the impact of revocation be considered
- as that's entirely a subjective, unquantifiable, and arguably
unsupportable interpretation in general, and it creates a perverse
incentives, as the incentives of both the CA and the subscriber are to
'not' revoke an illegitimate certificate, even if it causes
substantial harm to the ecosystem or Relying Parties.

It's unclear, however, if it was your intent to do that. My
understanding is that the goal was to provide additional time for a CA
to investigate the facts surrounding a Certificate Problem Report, so
that they can fully determine whether 4.9.1.1/4.9.1.2 are met - not to
make it possible for a CA to 'never' have to revoke a certificate
(which is a natural consequence, as presently worded).

On Thu, Jul 13, 2017 at 3:24 PM, Jeremy Rowley
<jeremy.rowley at digicert.com> wrote:
> Thanks Ryan - I missed that.  IMO, we should leave the cap at 1 business day (or even 24 hours) for those two events.  If the subscriber is requesting revocation, there's no reason to delay.
>
> I don't mind adding a two week cap for the rest of the reasons if that helps.
>
> -----Original Message-----
> From: Ryan Sleevi [mailto:sleevi at google.com]
> Sent: Thursday, July 13, 2017 1:19 PM
> To: Jeremy Rowley <jeremy.rowley at digicert.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
> Subject: Re: [cabfpub] Revocation ballot
>
> Hi Jeremy,
>
> This seems rather problematic. I greatly appreciated DigiCert's past consideration of this, which was to set the absolute upper bound at no greater than two weeks.
>
> As proposed, this would effectively make 4.9.1.1 and 4.9.1.2 pointless, as it leaves it fully up to CA discretion. As we've seen with the validation methods' "any other method", CA discretion creates significant challenges for relying parties and auditors to be assured of the integrity of the Web PKI and of the technical and material factors weighing in.
>
> That is, I'm totally supportive of an approach that tries to balance
> 24 hours, but I think anything that allows for arbitrarily-determined revocation, as proposed, would be a big step backwards for the security and confidence in the PKI.
>
> On Thu, Jul 13, 2017 at 2:47 PM, Jeremy Rowley via Public <public at cabforum.org> wrote:
>> Hi all,
>>
>>
>>
>> I took Ben’s previous ballot proposal for changing revocation
>> timelines and combined it with the timelines previously proposed.
>> Basically, the timelines were established to still require CA
>> responsiveness but balance with compromise notices that are received at weird hours or during holidays.
>>
>>
>>
>> Looking forward to your comments.
>>
>>
>>
>> Jeremy
>>
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>>


More information about the Public mailing list