[cabfpub] Ballot 159 - Amend Section 4 of Baseline Requirements

[Ben Wilson]

What if we amended section 4.9.2 to read, “The Subscriber can initiate revocation.  Third parties can request revocation in accordance with Section 4.9.3.
See also Section 3.4.”?

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Monday, January 4, 2016 11:03 AM
To: Ben Wilson <ben.wilson at digicert.com>
Cc: CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Ballot 159 - Amend Section 4 of Baseline Requirements



On Mon, Jan 4, 2016 at 8:04 AM, Ben Wilson <ben.wilson at digicert.com<mailto:ben.wilson at digicert.com>> wrote:

4) In Section 4.9.2 of the Baseline Requirements, add "The Subscriber can initiate revocation. Other parties who can request revocation include: the general public,
the press/news media, or an Application Software Provider.
See also Section 3.4."

Is there a reason the WG decided to provide an enumeration like this?

The concern I would have is that it reads as-if it's a closed set (only these three parties), when arguably two ("the press/news media" and "Application Software Provider") both are subsets of the general public

Also, why the choice Application Software Provider? The current term-of-use in the BRs (v1.3.1) is "Application Software Supplier". The only use of "Application Software Provider" appears to be within the context of Section 7.1.3, which is also probably a typo. I figured CAs would be all on board calling us browsers ASSes :)

However, most importantly, I think the proposed change to 4.9.2 is somewhat at conflict with the NIST Guidelines and with Section 4.9.3. Third-parties (that is, anyone who is not the Subscriber for a given certificate) may, at best, request the CA investigate the certificate pursuant with Section 4.9.1. As presently worded, it essentially suggests that anyone can, at any time, point out a certificate and tell the CA to revoke it, which of course is neither practical nor intentional.

As far as I can tell, for Section 4.9.2, only one party is authorized to _request_ revocation - the Subscriber. The CA can also revoke (pursuant with Section 4.9.1), but that's not a request - that's a unilateral decision. MAYBE there's a carve out for Registration Authorities, or maybe that's already considered within the definition of 4.9.1. But ASSes and the general public can only make CAs aware of violations of Section 4.9.1, making the CA aware that something has occurred. But I don't know if that constitutes a request for revocation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160121/499ac6bc/attachment-0003.html>