[cabfpub] Ballot 213 - Revocation Timeline Extension

Jeremy Rowley jeremy.rowley at digicert.com
Wed Sep 13 17:24:08 UTC 2017


A 24 hour report to the CAB Forum doesn’t make sense if the length of the investigation is not tied to the understanding/interpretation of the CAB Forum requirement.  For example, if someone alleges a company changed addresses, revocation may be required under “information appearing in the Certificate is inaccurate or misleading”.  Information in the QIIS might not be updated, the contact person may be on vacation, etc.  This isn’t a CAB Forum issue so there’s no reason to report that it’s taking longer than 24 hours to complete the certificate problem report.  

 

What should be required, imo, is a report to the entity submitting the certificate problem report about why it’s taken longer than the required 24 hours.  For investigation, what if we did:

*	24 hours required for the initial report
*	24 hours for the final report if the problem alleges X, Y, or Z
*	7 days for the final report for all other reasons.

 

Anything taking longer than 24 hours because of an issue with the CAB Forum requirements, must be reported to the CAB Forum.

 

Then revocation stays at:

*	24 hours required for X, Y, and Z
*	24 hours SHOULD for all other reasons
*	7 days required for all other reasons

 

Will this work? 

 

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi via Public
Sent: Monday, September 4, 2017 8:14 AM
To: Gervase Markham <gerv at mozilla.org>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Ballot 213 - Revocation Timeline Extension

 

 

 

On Mon, Sep 4, 2017 at 5:27 AM, Gervase Markham <gerv at mozilla.org <mailto:gerv at mozilla.org> > wrote:

On 01/09/17 18:58, Ryan Sleevi wrote:
> It's primarily about ensuring transparency in a way that's consistent -
> and the Forum is relevant because it feeds into our determination about
> ways to clarify text, while also providing a useful reference for
> auditors and CAs regarding root stores' interpretations (and ensuring
> there's no misalignment). I suggested questions@, because it's our only
> list that doesn't require any form of agreement or participation in the
> Forum at large - thus ensuring it's appropriate for all members. 

(This is not the first time we've encountered that issue; do we need a
better-named "notifications at cabforum.org <mailto:notifications at cabforum.org> " email list?)

I see what you are trying to do; perhaps it's the phrasing which is
bugging me. Does this wording do the same thing that you are aiming for,
or has it changed the meaning?

"If any interpretation of these Requirements means that a CA believes it
may permit, and does permit, more than seven days to elapse between
receiving a Certificate Problem Report and providing a final
determination, the CA SHALL notify the CA/Browser Forum of their
interpretation by emailing questions at cabforum.org <mailto:questions at cabforum.org> ."

 

Thanks for highlighting this. I actually think Jeremy and I may have crossed wires. My intent was to set the following limits for determination:

- 24 hours under situations X, Y, Z

- 24 hours SHOULD for everything else

- 7 days MUST for everything else

 

With a "Anything > 24 hours requires a report"

 

That covers assessment

 

And then the actual revocation works as

- 24 hours under situations X, Y, Z

- 7 days MUST for everything else

 

With no report as to the timing of that revocation.

 

 

But again, while I see what you are trying to do, how to we avoid the
BRs filling up with text like:

A) Do X.
B) If any CA feels these Requirements can be interpreted to mean that
they don't have to do X, they should email questions at cabforum.org <mailto:questions at cabforum.org> .
C) Do Y.
D) If any CA feels these Requirements can be interpreted to mean that
they don't have to do X, they should email questions at cabforum.org <mailto:questions at cabforum.org> .
...

Why is there a unique need in this particular case for notification of
interpretive "creativity"?

 

I'm not sure I would go as far as to suggest it's interpretative "creativity" - I think we're discussing cases of ambiguity which may take time to resolve (e.g. the CA consulting with their auditors and/or the Forum), or for which systemic issues might exist. I think we're appreciative of the need to coordinate with subscribers and perhaps take additional steps (although it does mean that the effectiveness of revocation for is now 7d+7d+7d days rather than the current 24h+24h+7d), but I think we'd want to understand why any investigation _isn't_ cut and dry.

 

For example, if an OCSP Responder is reported as responding GOOD to non-issued certificates, that should be something the CA can investigate and report on within 24 hours. If the CA can't, that's concerning.

 

As to notification, I think any place we offer for purely CA discretion, we need transparency. So to the extent we allow for situations like "You should do X, unless you think you don't have to" - then I absolutely think a notification is appropriate. We have that true for Severability (and for good reason), and I think we would also want that for security incident reporting. Are there other places you think CAs should be left to subjectively evaluate rather than work on objective criteria?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170913/feb6ee81/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170913/feb6ee81/attachment-0003.p7s>


More information about the Public mailing list