[cabfpub] Bergamo F2F Agenda Item

Tue May 14 16:04:31 UTC 2024

It does not matter if CT is not in the TLS BRs if the idea is to
check/verify how the delay of revocations is affecting operations in
banking/finance, healthcare, etc. because without CT you can´t check and
only get the word of the CA. With the other cert types, you can´t check,
only with TLS in where you can see the subject.

And yes, all CAs are accountable but again, unless you can verify somehow,
it´s not easy.

De: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
Enviado el: martes, 14 de mayo de 2024 17:43
Para: Inigo Barreira <Inigo.Barreira at sectigo.com>; CA/Browser Forum Public
Discussion List <public at cabforum.org>; Ben Wilson <bwilson at mozilla.com>
Asunto: Re: [cabfpub] Bergamo F2F Agenda Item

CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know the
content is safe.

On 14/5/2024 6:36 μ.μ., Inigo Barreira wrote:

I don´t have any issue to discuss this at the forum plenary but the main
difference between the TLS and the other cert types is the accountability
these have because being in the CT logs and anyone can check/review. But, go
ahead.

CT is not in the TLS BRs so they are not so much related. I also don't
understand what you mean by "accountability" because all CAs are accountable
for all types of publicly-trusted certificates they issue (TLS, Code
Signing, S/MIME), and they all have -similar- rules for revocation.

Thanks,
Dimitris.

De: Public  <mailto:public-bounces at cabforum.org>
<public-bounces at cabforum.org> En nombre de Dimitris Zacharopoulos (HARICA)
via Public
Enviado el: martes, 14 de mayo de 2024 17:28
Para: Ben Wilson  <mailto:bwilson at mozilla.com> <bwilson at mozilla.com>
CC: CA/Browser Forum Public Discussion List  <mailto:public at cabforum.org>
<public at cabforum.org>
Asunto: Re: [cabfpub] Bergamo F2F Agenda Item

CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know the
content is safe.

On 14/5/2024 6:08 μ.μ., Ben Wilson wrote:

Hi Dimitris,

There appears to be an open slot on the F2F agenda - Wed. May 29th at 9:05
a.m.  I was thinking we could use that time to discuss revocation timelines
and balancing the security provided by revocation with the
security/stability needed to support critical infrastructure. In other
words, we could discuss BR section 4.9.1 and  concerns about disruption of
global/national operations in banking/finance, transportation, government,
telecommunications, healthcare, and other key areas where certificate
revocation might cause key systems to fail.

Should I put this topic in that open slot on the wiki?

Thanks,

Ben

Hi Ben,

I think that would be great. I assume you will be leading this session.

I think it's a great opportunity for CAs with past experience on delayed
revocations to share some insight about specific challenges in the sectors
you listed, and possibly add some that are missing.

FYI, public evidence for delayed revocation incidents (open and closed,
based on specific tags) is available in this link.

Although you mentioned that this affects the BR section 4.9.1, this topic
affects all Working Groups because all the WG BRs have a section 4.9.1 that
is pretty much similar with the TLS BRs. With that said, I would like to ask
if Members have any objections for discussing this topic as part of the
Forum plenary.

Thank you,
Dimitris
CA/B Forum Chair

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20240514/6c2f4d19/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6630 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20240514/6c2f4d19/attachment-0001.p7s>