[Servercert-wg] [cabfpub] [EXTERNAL]Re: Ballot SC6 - Revocation Timeline Extension

Ryan Sleevi sleevi at google.com
Fri Aug 24 06:10:32 MST 2018


On Fri, Aug 24, 2018 at 1:42 AM Dimitris Zacharopoulos via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> I'm not sure if this has been discussed before (sorry if I missed did),
> but I would like to bring up the fact that there might be Subscribers
> who suffer a Key Compromise (like the ones distributed with their own
> software or embedded within customer devices), who would be willing to
> leave the compromised Certificate/Key out there until they find a way to
> replace it (that might take more than 24 hours or 5 days). This is a
> case where the Subscriber weighs the impact of Availability in the
> security properties of the offered service more than Confidentiality.
>

I don't agree that the Subscriber's wishes should trump the Relying
Parties. Otherwise, we never would have deprecated SHA-1 or RSA-1024.


>
> If a Subscriber doesn't want their Certificate revoked because that
> might have a significant impact/damage in their service Availability,
> isn't that something the ecosystem should respect and allow? Shouldn't
> this be treated on a case-by-case basis? I would be in favor of entering
> clauses in the BRs to allow more than 5 days before revocation for
> certain such cases, provided that the CA and the affected Subscriber
> would have to disclose the case to the CA/B Forum, as Ryan suggested in
> previous discussions. Just disclosing the fact should be enough. It
> would just be an additional option for the CAs and the Subscribers that
> would improve today's practices. As Jeremy demonstrated, there are
> several real cases today, where CAs try to extend the 24hours revocation
> window in order to balance that Availability risk for the Subscribers
> and -I might add- the Relying Parties that want to have access to the
> Subscriber's services. I believe there are RPs out there that value
> availability more than confidentiality. I'm not one of them, but... :)
>
>
> Thoughts?
> Dimitris.
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20180824/77d17a3c/attachment-0001.html>


More information about the Servercert-wg mailing list