[cabfpub] Revocation Timeframe Ballot Language

Ben Wilson ben.wilson at digicert.com
Wed May 3 15:43:51 UTC 2017


I’ll take a look at it and see about merging the two.


From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Tuesday, May 2, 2017 5:56 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Ben Wilson <ben.wilson at digicert.com>
Subject: Re: [cabfpub] Revocation Timeframe Ballot Language

It probably comes as no surprise to anyone in the Forum that I'm not a big fan of a blanket policy for CA discretion, much like the any other method concerns :)

Jeremy previously had a pretty good draft here, but didn't go forward with it. That's captured in https://cabforum.org/pipermail/public/2015-March/005312.html

Are there new concerns why that approach wouldn't work?

On Tue, May 2, 2017 at 7:23 PM, Ben Wilson via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:


   Attached is a redlined Word doc containing sections and 4.9.5 of the  Baseline Requirements.  To provide greater flexibility when revoking certificates, I am proposing that we remove the 24-hour revocation requirement from section and replacing it with a criteria-based process found in section 4.9.5.  Section 4.9.5 (Time within which CA Must Process the Revocation Request) would read:

   The CA SHALL begin an investigation of the facts and circumstances related to a Certificate Problem Report or other revocation-related notice within one business day of receipt. After reviewing the facts and circumstances, the CA SHALL work with any entity reporting the Certificate Problem Report or other revocation-related notice to establish a date when the CA will revoke the Certificate or take whatever other appropriate action is warranted. The date selected by the CA SHOULD consider the following criteria:

   1. The nature of the alleged problem (scope, context, severity, magnitude, risk of harm);

   2. The consequences of revocation (direct and collateral impacts to Subscribers and Relying Parties);

   3. The number of Certificate Problem Reports received about a particular Certificate or Subscriber;

   4. The entity making the complaint (for example, a complaint from a law enforcement official that a Web site is engaged in illegal activities should carry more weight than a complaint from a consumer alleging that she didn’t receive the goods she ordered); and

   5. Relevant legislation.


   Public mailing list
   Public at cabforum.org<mailto:Public at cabforum.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170503/a0640f19/attachment-0003.html>

More information about the Public mailing list