[cabfpub] Ballot 213 - Revocation Timeline Extension

Wayne Thayer wthayer at godaddy.com
Wed Sep 6 15:53:16 UTC 2017 

On 9/4/17, 2:22 AM, "Gervase Markham" <gerv at mozilla.org> wrote:

    On 01/09/17 18:51, Wayne Thayer via Public wrote:
    >> I have a question related to the (unchanged) requirement that the CA
    >> revoke the certificate within 24 hours if ‘the subscriber requests in
    >> writing that the CA revoke the Certificate’. Presumably, this is the
    >> subscriber sending an email to the CA’s problem reporting email address.
    >> If so, I would hope that the CA is doing something to confirm that the
    >> email came from the actual Subscriber. If the CA can’t confirm that the
    >> email came from the Subscriber within 24 hours, then what?
    
    >I would say that if you can't confirm it's the Subscriber, then the
    >Subscriber has not requested in writing that you revoke the certificate.
    >in other words, the timer starts from the time you validate that the
    >email is genuine, if there is any doubt. If people feel this introduces
    >a loophole, let's think how to fix it.
    
I can accept this interpretation, but I do think that most emails (lacking a digital signature or shared secret) fall into this bucket.

    >> I think this
    >> requirement would be improved if it allowed the CA to provide an
    >> authenticated Subscriber with a mechanism for revoking the certificate
    >> themselves, possibly in combination with a requirement that the CA
    >> provide a mechanism for the Subscriber to recover lost credentials.
    
    >I don't think the requirement _forbids_ this, so in that sense the
    >requirement does "allow" it. Instead of "allow", do you actually mean
    >"require"?
    
Not quite. I mean that CA’s shouldn’t be required to accept Subscriber revocation requests “in writing”. Providing a documented mechanism for a Subscriber to request revocation should be enough. For example:
- invoke a Certbot command (I’m sure this is considered to be “in writing” but I don’t think it’s what the author of this sentence had in mind)
- Log in and click the “Revoke” button (Not “in writing” – unless you force the Subscriber to type “Revoke this cert” before clicking the button)

    >Gerv

More information about the Public mailing list