[Servercert-wg] BR Section 4.9.1.1

[Roman Fischer]

Dear Ben,

We think that idea 1 is worth looking further into. Most of the recent mis-issuances would fall into such a category. I also think that while swift revocation in case of security incidents (e.g. Heartbleed) is absolutely essential to the security of the WebPKI ecosystem, mass revocations within 5 days because of typos in CP/CPS don't do the same ecosystem any good… So yes, we would support this idea.

Kind regards
Roman

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Ben Wilson via Servercert-wg
Sent: Mittwoch, 26. Juni 2024 19:02
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [Servercert-wg] BR Section 4.9.1.1

All,

As I said at the F2F in Bergamo, the issues with BR section 4.9.1.1 are not going to resolve themselves. We're going to have to address them sooner rather than later.

Here are two more ideas that I've received from others:
1 - add a 30-day revocation timeframe for a few minor, non-security-related mis-issuance types; and/or
2 - maintain a list of Subscribers, uses, FQDNs (or other) that can't meet the revocation deadlines, and exempt them, but require that they use 90-day certificates.

Thanks,

Ben

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240702/5e13d0bd/attachment.html>