[Servercert-wg] [EXTERNAL] Ballot SC6 v2 - Revocation Timeline Extension
Wayne Thayer
wthayer at mozilla.com
Wed Aug 29 08:53:31 MST 2018
On Wed, Aug 29, 2018 at 7:33 AM Bruce Morton <
Bruce.Morton at entrustdatacard.com> wrote:
> Works for me.
>
> Bruce.
>
> On Aug 29, 2018, at 10:29 AM, Ryan Sleevi <sleevi at google.com> wrote:
>
> Just to confirm: Your concern is about the CA feeling that the evidence
> does not meet any of the requirements to revoke, and wanting it to be clear
> that that is a valid outcome of a problem report, correct?
>
> The problem with the suggested wording (and perhaps implicit in the
> existing wording) is that it suggests that the period to "work with the
> Subscriber and any entity" is unbounded, and once a determination is made,
> then it must be within the bounds of 4.9.1.1's time period. That is, say,
> 24 hours + as much "work with" time as you want. This is because the
> modified wording seemingly attaches the "which MUST not" to the date in
> which the CA will revoke, rather than the overall process.
>
> The CA SHALL work with the Subscriber and any entity reporting the
> Certificate Problem Report or other revocation-related notice to establish
> whether or not the certificate will be revoked, and if so, a date which the
> CA will revoke the certificate. The period from report to published
> revocation MUST NOT exceed the time frame set forth in Section 4.9.1.1.
>
> >
Does "report" here mean the preliminary report on its findings, or the
Certificate Problem Report? I am happy to accept this change once that is
clarified.
>
> Does that work for you?
>
> On Wed, Aug 29, 2018 at 10:16 AM Bruce Morton via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
>> I am concerned with this statement, “the CA SHALL work with the
>> Subscriber and any entity reporting the Certificate Problem Report or other
>> revocation-related notice to establish a date when the CA will revoke the
>> Certificate which MUST not exceed the time frame set forth in Section
>> 4.9.1.1.”
>>
>>
>>
>> This statement appears to assume that the certificate will be revoked. I
>> assume that the investigation may conclude that the certificate will not be
>> revoked. As such, could we change the statement to say “the CA SHALL work
>> with the Subscriber and any entity reporting the Certificate Problem Report
>> or other revocation-related notice to establish whether or not the
>> certificate will be revoked, and if so, a date when the CA will revoke the
>> Certificate which MUST not exceed the time frame set forth in Section
>> 4.9.1.1.”
>>
>>
>>
>> Thanks, Bruce.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20180829/2173a68e/attachment.html>
More information about the Servercert-wg
mailing list