[cabfpub] Ballot 213 - Revocation Timeline Extension

[Jeremy Rowley]

I agree with the goal of getting this information out there, and using the CAB Forum this way seems in scope. Per the bylaws: “Members of the CA/Browser Forum have worked closely together in defining the guidelines and means of implementation for best practices as a way of providing a heightened security for Internet transactions and creating a more intuitive method of displaying secure sites to Internet users.” (Section 1)

 

However, I’m struggling to see why the CAB Forum would want to collect this info as a requirement rather than allowing CAs to submit the information voluntarily when there are questions.  Usually, we require the location of the disclosure be set in the CPS/CP, not as an email to the CAB Forum.  Shouldn’t we follow that format here? 

 

From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Wednesday, September 13, 2017 12:28 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Ballot 213 - Revocation Timeline Extension

 

 

 

On Wed, Sep 13, 2017 at 2:14 PM, Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> > wrote:

If we’re trying to require transparency, I’d rather see a requirement to publish all certificate problem reports within 24 hours, regardless of resolution. First, this accomplishes the goal in a more straight-forward manner. Second, publication separates the transparency goal from the resolution timeline frames. 

 

24 hours to publish

24-7 days to investigate/fix

24-7 days to revoke

 

The other question is where should these be published.  The CAB Forum questions list seems like the wrong place. The CAB Forum isn’t the mis-issuance police (the browsers are).  The questions list in particular is intended for third party questions about the CAB Forum requirements. The Mozilla dev list is a better place to publish. If that’s the case, wouldn’t a publication of certificate problem reports be better presented as a Mozilla root store requirement?

 

I think that's conflating publication with response, and I think it presupposes that response only originates from the root program side.

 

Note I didn't suggest the goal of transparency was to facilitate the misissuance police - it was to promote information sharing and disclosure to allow improved policies, practices, and guidelines. And that very much seems a CA/B Forum activity. Whether or not there is (separately) a conversation about misissuance does seem like something for policy enforcement and not necessarily the remit of the CA/B Forum.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170913/f3b37d01/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170913/f3b37d01/attachment.p7s>