[Servercert-wg] [EXTERNAL] Ballot SC6 v2 - Revocation Timeline Extension

[Ryan Sleevi]

On Wed, Aug 29, 2018 at 11:53 AM Wayne Thayer <wthayer at mozilla.com> wrote:

> On Wed, Aug 29, 2018 at 7:33 AM Bruce Morton <
> Bruce.Morton at entrustdatacard.com> wrote:
>
>> Works for me.
>>
>> Bruce.
>>
>> On Aug 29, 2018, at 10:29 AM, Ryan Sleevi <sleevi at google.com> wrote:
>>
>> Just to confirm: Your concern is about the CA feeling that the evidence
>> does not meet any of the requirements to revoke, and wanting it to be clear
>> that that is a valid outcome of a problem report, correct?
>>
>> The problem with the suggested wording (and perhaps implicit in the
>> existing wording) is that it suggests that the period to "work with the
>> Subscriber and any entity" is unbounded, and once a determination is made,
>> then it must be within the bounds of 4.9.1.1's time period. That is, say,
>> 24 hours + as much "work with" time as you want. This is because the
>> modified wording seemingly attaches the "which MUST not" to the date in
>> which the CA will revoke, rather than the overall process.
>>
>> The CA SHALL work with the Subscriber and any entity reporting the
>> Certificate Problem Report or other revocation-related notice to establish
>> whether or not the certificate will be revoked, and if so, a date which the
>> CA will revoke the certificate. The period from report to published
>> revocation MUST NOT exceed the time frame set forth in Section 4.9.1.1.
>>
>> >
> Does "report" here mean the preliminary report on its findings, or the
> Certificate Problem Report? I am happy to accept this change once that is
> clarified.
>

I was thinking about that on the drive in today :)

"The period from receipt of report or notice to published revocation" ?

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20180829/a6bcc5b9/attachment.html>