[cabfpub] Revocation ballot
jeremy.rowley at digicert.com
Thu Jul 13 12:24:46 MST 2017
Thanks Ryan - I missed that. IMO, we should leave the cap at 1 business day (or even 24 hours) for those two events. If the subscriber is requesting revocation, there's no reason to delay.
I don't mind adding a two week cap for the rest of the reasons if that helps.
From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Thursday, July 13, 2017 1:19 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Revocation ballot
This seems rather problematic. I greatly appreciated DigiCert's past consideration of this, which was to set the absolute upper bound at no greater than two weeks.
As proposed, this would effectively make 22.214.171.124 and 126.96.36.199 pointless, as it leaves it fully up to CA discretion. As we've seen with the validation methods' "any other method", CA discretion creates significant challenges for relying parties and auditors to be assured of the integrity of the Web PKI and of the technical and material factors weighing in.
That is, I'm totally supportive of an approach that tries to balance
24 hours, but I think anything that allows for arbitrarily-determined revocation, as proposed, would be a big step backwards for the security and confidence in the PKI.
On Thu, Jul 13, 2017 at 2:47 PM, Jeremy Rowley via Public <public at cabforum.org> wrote:
> Hi all,
> I took Ben’s previous ballot proposal for changing revocation
> timelines and combined it with the timelines previously proposed.
> Basically, the timelines were established to still require CA
> responsiveness but balance with compromise notices that are received at weird hours or during holidays.
> Looking forward to your comments.
> Public mailing list
> Public at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4964 bytes
Desc: not available
More information about the Public