[cabfpub] Reviving Ballot 213 - Revocation Timeline Extension

[Ryan Sleevi]

On Wed, May 16, 2018 at 4:27 PM, Wayne Thayer <wthayer at mozilla.com> wrote:

> On Wed, May 16, 2018 at 1:19 PM Ryan Sleevi <sleevi at google.com> wrote:
>
>>
>> On Wed, May 16, 2018 at 4:00 PM, Wayne Thayer via Public <
>> public at cabforum.org> wrote:
>>
>>> Lat year, Jeremy proposed changes to section 4.9 of the BRs. I'd like to
>>> revive that discussion with the following ballot proposal:
>>> https://github.com/cabforum/documents/compare/master...wthayer:patch-1
>>>
>>> Summary of Changes:
>>> * The first change creates a tiered timeline for revocations. The most
>>> critical "reasons" still require revocation within 24 hours, but for many
>>> others 24 hours becomes a SHOULD and the CA has 5 days before they MUST
>>> revoke. This was the original motivation for the ballot, due in part to
>>> last year's wave of misissued certs identified by linting tools.
>>>
>>
>> I'm not sure that matches my understanding or the early discussions. In
>> several cases, it was a Subscriber self-own, and the risk that revocation
>> was perceived as having impact to those subscribers.
>>
>> >
> That's fair. I'm unclear on the meaning of "Subscriber self-own", but
> agree that the concern was the impact a rushed revocation often has on the
> Subscriber and their website.
>

The spate of widely distributed private keys from Subscribers that didn't
understand that would fundamentally necessitate revocation. GitHub,
Dropbox, and Blizzard were all examples of this, and all faced significant
product impact because of it, because it meant updating binaries for
millions of users, not just updating a server certificate.

The Subscriber did the damage to themselves, but it wasn't clear to them
how colossal a bad idea it would be until, well, it happened.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180516/28aac231/attachment-0001.html>