[cabfpub] Ballot 213 - Revocation Timeline Extension
Ryan Sleevi
sleevi at google.com
Wed Sep 13 18:27:43 UTC 2017
On Wed, Sep 13, 2017 at 2:14 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:
> If we’re trying to require transparency, I’d rather see a requirement to
> publish all certificate problem reports within 24 hours, regardless of
> resolution. First, this accomplishes the goal in a more straight-forward
> manner. Second, publication separates the transparency goal from the
> resolution timeline frames.
>
>
>
> 24 hours to publish
>
> 24-7 days to investigate/fix
>
> 24-7 days to revoke
>
>
>
> The other question is where should these be published. The CAB Forum
> questions list seems like the wrong place. The CAB Forum isn’t the
> mis-issuance police (the browsers are). The questions list in particular
> is intended for third party questions about the CAB Forum requirements. The
> Mozilla dev list is a better place to publish. If that’s the case, wouldn’t
> a publication of certificate problem reports be better presented as a
> Mozilla root store requirement?
>
I think that's conflating publication with response, and I think it
presupposes that response only originates from the root program side.
Note I didn't suggest the goal of transparency was to facilitate the
misissuance police - it was to promote information sharing and disclosure
to allow improved policies, practices, and guidelines. And that very much
seems a CA/B Forum activity. Whether or not there is (separately) a
conversation about misissuance does seem like something for policy
enforcement and not necessarily the remit of the CA/B Forum.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170913/e4725fb7/attachment-0003.html>
More information about the Public
mailing list