[cabfpub] Ballot 213 - Revocation Timeline Extension

[Ryan Sleevi]

On Mon, Sep 4, 2017 at 5:27 AM, Gervase Markham <gerv at mozilla.org> wrote:

> On 01/09/17 18:58, Ryan Sleevi wrote:
> > It's primarily about ensuring transparency in a way that's consistent -
> > and the Forum is relevant because it feeds into our determination about
> > ways to clarify text, while also providing a useful reference for
> > auditors and CAs regarding root stores' interpretations (and ensuring
> > there's no misalignment). I suggested questions@, because it's our only
> > list that doesn't require any form of agreement or participation in the
> > Forum at large - thus ensuring it's appropriate for all members.
>
> (This is not the first time we've encountered that issue; do we need a
> better-named "notifications at cabforum.org" email list?)
>
> I see what you are trying to do; perhaps it's the phrasing which is
> bugging me. Does this wording do the same thing that you are aiming for,
> or has it changed the meaning?
>
> "If any interpretation of these Requirements means that a CA believes it
> may permit, and does permit, more than seven days to elapse between
> receiving a Certificate Problem Report and providing a final
> determination, the CA SHALL notify the CA/Browser Forum of their
> interpretation by emailing questions at cabforum.org."
>

Thanks for highlighting this. I actually think Jeremy and I may have
crossed wires. My intent was to set the following limits for determination:
- 24 hours under situations X, Y, Z
- 24 hours SHOULD for everything else
- 7 days MUST for everything else

With a "Anything > 24 hours requires a report"

That covers assessment

And then the actual revocation works as
- 24 hours under situations X, Y, Z
- 7 days MUST for everything else

With no report as to the timing of that revocation.



> But again, while I see what you are trying to do, how to we avoid the
> BRs filling up with text like:
>
> A) Do X.
> B) If any CA feels these Requirements can be interpreted to mean that
> they don't have to do X, they should email questions at cabforum.org.
> C) Do Y.
> D) If any CA feels these Requirements can be interpreted to mean that
> they don't have to do X, they should email questions at cabforum.org.
> ...
>
> Why is there a unique need in this particular case for notification of
> interpretive "creativity"?
>

I'm not sure I would go as far as to suggest it's interpretative
"creativity" - I think we're discussing cases of ambiguity which may take
time to resolve (e.g. the CA consulting with their auditors and/or the
Forum), or for which systemic issues might exist. I think we're
appreciative of the need to coordinate with subscribers and perhaps take
additional steps (although it does mean that the effectiveness of
revocation for is now 7d+7d+7d days rather than the current 24h+24h+7d),
but I think we'd want to understand why any investigation _isn't_ cut and
dry.

For example, if an OCSP Responder is reported as responding GOOD to
non-issued certificates, that should be something the CA can investigate
and report on within 24 hours. If the CA can't, that's concerning.

As to notification, I think any place we offer for purely CA discretion, we
need transparency. So to the extent we allow for situations like "You
should do X, unless you think you don't have to" - then I absolutely think
a notification is appropriate. We have that true for Severability (and for
good reason), and I think we would also want that for security incident
reporting. Are there other places you think CAs should be left to
subjectively evaluate rather than work on objective criteria?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170904/0dc5a751/attachment.html>