[cabfpub] Revocation ballot

Geoff Keating geoffk at apple.com
Mon Jul 17 22:58:30 MST 2017

I do think these timeframes are a bit loose.  I wouldn’t like to see a CA explaining “well, we tried to contact the customer, and they haven’t replied, so we’re waiting the full fourteen business days” in response to being handed a copy of the private key.  Or if the actual domain owner appears and says “hey, you issued a certificate for my domain and I didn’t authorize it” and the CA then takes weeks to revoke.

However, I don’t think there’s so much of a problem in some specific cases:
- For item 1, the customer may voluntarily request a revocation at some time in the future.  The CA must still act on it within 24 hours of the requested time.  If the revocation is requested because of key compromise or change of information (and so is not voluntary, it is mandated by the Subscriber agreement), the following items control.
- If the private key has been compromised, and the customer is contacted within 2 business days and accepts the risk, the subscriber may delay revocation for up to 1 week from the time the CA is first notified.  (This is item 3.)
- If there is a material change to the certificate information other than the DNS name, such as the address, I think the revocation can be delayed for up to 10 business days from the date the information changed, to allow a smooth changeover, if the customer requests it.  This only applies if the previous information was valid but has changed.  (This is item 8 or 10.)

I think you want to word these like this.  Otherwise you can end up in a scenario where someone reports a key compromise to the customer, the customer is required by the Subscriber Agreement to report it immediately to the CA and request revocation, which is not a Problem Report, and it must be revoked within 24 hours; but if it had been reported to the CA, it could have taken up to 2 weeks.  And of course if the reporter sees it’s not revoked fast enough, the reporter can then go to the CA and say the subscriber is not following their Subscriber Agreement, which might have consequences far beyond one certificate.

For all other items, I don’t see why 24 hours is unreasonable for the actual revocation.  I think setting a deadline on any investigations caused by a problem report is also a good idea, and think 24 hours for initial response then 3 business days for final action is OK.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170717/fab74a25/attachment-0001.p7s>

More information about the Public mailing list