[cabfpub] Ballot 213 - Revocation Timeline Extension

Ryan Sleevi sleevi at google.com
Fri Sep 1 17:58:21 UTC 2017 

On Fri, Sep 1, 2017 at 4:39 AM, Gervase Markham via Public <
public at cabforum.org> wrote:

> On 01/09/17 05:40, Jeremy Rowley via Public wrote:
> > A revised version is attached. Additional comments and/or endorsements
> > are welcome!
>
> We will endorse when the time comes; a couple of comments beforehand:
>
> 4.9.5: c) says "alleging an issue other than key compromise", which
> could be construed to cover only a), thereby leaving b) in limbo a
> little bit. Suggestion: replace those words with "alleging any other
> problem with the certificate".
>
> 4.9.5 has this new text: "If any ambiguity in these Requirements will
> result in a delay of more than seven days in providing a final
> determination of a Certificate Problem Report, the CA SHALL first notify
> the CA/Browser Forum of the ambiguity by emailing questions at cabforum.org."
>
> I can sort of see what you are trying to do here, but this rather puts
> the CAB Forum in the role of "BR cop". Could we instead do something
> like: "If there is a delay of more than seven days in providing a final
> determination of a Certificate Problem Report, the CA SHALL explain the
> reason for the delay in the final report sent to the Subscriber and the
> filing entity." The filing entity then, of course, as the option of
> passing that on to a root program, the CAB Forum or anyone else.
>

Hi Gerv,

I actually suggested this element of transparency, so happy to explain some
of the rationale. I don't think the goal is to put the Forum into a BR cop,
but much like 9.16.3, to better understand if there's ambiguity of text or
interpretative differences. For example, consider Kirk's message on behalf
of Entrust regarding punctuation characters in OU fields, which revealed
some issues with the wording of the text - and which different CAs resolved
differently. I actually think this is a good result for highlighting "Hey,
we're not sure about X, could this be worded clearer?" as a possible result.

It's primarily about ensuring transparency in a way that's consistent - and
the Forum is relevant because it feeds into our determination about ways to
clarify text, while also providing a useful reference for auditors and CAs
regarding root stores' interpretations (and ensuring there's no
misalignment). I suggested questions@, because it's our only list that
doesn't require any form of agreement or participation in the Forum at
large - thus ensuring it's appropriate for all members.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170901/d39387cf/attachment-0003.html>

More information about the Public mailing list