I’ll have to defer to others on the investigation period. We usually make the determination of a mis-issuance within 24 hours. The only difficulty on our side is contacting the subscriber so they know about the revocation.
I’d much rather have a 24 hour investigation period followed by a 2 week revocation window than a 7 day investigation period followed by a 1 week revocation window because a) it keeps feedback going to the reporter on a timeline basis, b) action items under the CA’s control are accelerated, and c) the CA’s job is to issue and manage certificates for its customers – revocation and investigation is part of that responsibility. From: Ryan Sleevi [mailto:[email protected]] Sent: Thursday, August 24, 2017 9:18 AM To: Jeremy Rowley <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Cc: Gervase Markham <[email protected]> Subject: Re: [cabfpub] Revocation ballot v2 On Wed, Aug 23, 2017 at 11:32 PM, Jeremy Rowley via Public <[email protected] <mailto:[email protected]> > wrote: Okay - attached. a) I added the requirement to maintain an email address for addressing certificate problem reports to 4.9.3 b) I added a 24 hour rule for when the original certificate request was not authorized. Jeremy, I'm wondering if you could speak more to what sort of challenges CAs face in making a determination within 24 hours, versus seven days. For example, consider a report of a CP/CPS non-compliance - which is something entirely under the CA's control - particularly for something like a profile violation (e.g. extensions when they said they wouldn't have them, missing subject naming fields, wrong policies, etc). Why wouldn't a CA be able to make a determination about compliance within 24 hours? One downside is I could see the added time for investigation adding an incentive to delay investigating (in order to delay revocation), rather than purely granting the flexibility necessary for complex situations. I think if you (or others) could share a bit more about the challenges of investigating reports, since I think, ideally, we'd want all reports to be taken with the same gravity and attentiveness as a potential security issue. I ask this, because I'm wondering whether it makes sense to set the standard of the _final_ report at 24 hours, but then allow CAs to take up to 7 days (except for the types of reports you noted) as an exception, and with an added requirement to disclose why they made use of the additional time. That is, let's say someone gets report of a CP/CPS violation, and the CA determines that the current BR language is unclear, and they need additional time to consult with their auditors and/or the broader community. That seems a perfectly reasonable reason to take up to the 7 days - to make sure the violation is certain - but it also means we may not know of the potential confusion in the language, or the auditors' conclusions, as a community. If we have those types of situations disclosed (through, say, a public mail posting explaining why the >24 hour investigation took place, and what the challenges were), we can, as a community, better address those situations and work on improvements. I'm wondering if that might address your concern about "two weeks", while also help the community better understand the challenges so we can work to improve them (in the case they're ambiguities) or collaboratively share best practices (in the case of other factors)
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
