[cabfpub] Reviving Ballot 213 - Revocation Timeline Extension

Ryan Sleevi sleevi at google.com
Wed May 16 13:18:27 MST 2018

On Wed, May 16, 2018 at 4:00 PM, Wayne Thayer via Public <
public at cabforum.org> wrote:

> Lat year, Jeremy proposed changes to section 4.9 of the BRs. I'd like to
> revive that discussion with the following ballot proposal:
> https://github.com/cabforum/documents/compare/master...wthayer:patch-1
> Summary of Changes:
> * The first change creates a tiered timeline for revocations. The most
> critical "reasons" still require revocation within 24 hours, but for many
> others 24 hours becomes a SHOULD and the CA has 5 days before they MUST
> revoke. This was the original motivation for the ballot, due in part to
> last year's wave of misissued certs identified by linting tools.

I'm not sure that matches my understanding or the early discussions. In
several cases, it was a Subscriber self-own, and the risk that revocation
was perceived as having impact to those subscribers.

I'm not sympathetic to CAs' linting failures being a reason to extend
revocation dates. If a CA fails to abide by the Guidelines, and customers
of that CA are affected, they may want to choose CAs that are more
carefully and correctly operated. That's not a lack of sympathy - that's a
recognition that extensions for CA failure are a perverse incentive to
reward failure.

I fully acknowledge it's a tension, though, and am simply hesitant to open
the door to some gradations of CA screw-ups, while acknowledging the
challenges that sites that have not switched to automated solutions face
when presented with revocation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180516/5e118b53/attachment.html>

More information about the Public mailing list