[Servercert-wg] [cabfpub] [EXTERNAL]Re: Ballot SC6 - Revocation Timeline Extension

[Dimitris Zacharopoulos]

I'm not sure if this has been discussed before (sorry if I missed did),
but I would like to bring up the fact that there might be Subscribers
who suffer a Key Compromise (like the ones distributed with their own
software or embedded within customer devices), who would be willing to
leave the compromised Certificate/Key out there until they find a way to
replace it (that might take more than 24 hours or 5 days). This is a
case where the Subscriber weighs the impact of Availability in the
security properties of the offered service more than Confidentiality.

If a Subscriber doesn't want their Certificate revoked because that
might have a significant impact/damage in their service Availability,
isn't that something the ecosystem should respect and allow? Shouldn't
this be treated on a case-by-case basis? I would be in favor of entering
clauses in the BRs to allow more than 5 days before revocation for
certain such cases, provided that the CA and the affected Subscriber
would have to disclose the case to the CA/B Forum, as Ryan suggested in
previous discussions. Just disclosing the fact should be enough. It
would just be an additional option for the CAs and the Subscribers that
would improve today's practices. As Jeremy demonstrated, there are
several real cases today, where CAs try to extend the 24hours revocation
window in order to balance that Availability risk for the Subscribers
and -I might add- the Relying Parties that want to have access to the
Subscriber's services. I believe there are RPs out there that value
availability more than confidentiality. I'm not one of them, but... :)


Thoughts?
Dimitris.