[cabfpub] Revocation ballot
sleevi at google.com
Thu Jul 13 12:18:51 MST 2017
This seems rather problematic. I greatly appreciated DigiCert's past
consideration of this, which was to set the absolute upper bound at no
greater than two weeks.
As proposed, this would effectively make 188.8.131.52 and 184.108.40.206
pointless, as it leaves it fully up to CA discretion. As we've seen
with the validation methods' "any other method", CA discretion creates
significant challenges for relying parties and auditors to be assured
of the integrity of the Web PKI and of the technical and material
factors weighing in.
That is, I'm totally supportive of an approach that tries to balance
24 hours, but I think anything that allows for arbitrarily-determined
revocation, as proposed, would be a big step backwards for the
security and confidence in the PKI.
On Thu, Jul 13, 2017 at 2:47 PM, Jeremy Rowley via Public
<public at cabforum.org> wrote:
> Hi all,
> I took Ben’s previous ballot proposal for changing revocation timelines and
> combined it with the timelines previously proposed. Basically, the
> timelines were established to still require CA responsiveness but balance
> with compromise notices that are received at weird hours or during holidays.
> Looking forward to your comments.
> Public mailing list
> Public at cabforum.org
More information about the Public