I added the requirement to 4.9.3. That way all of the certificate problem reporting requirements are contained in a single section.
From: Tim Hollebeek [mailto:tholleb...@trustwave.com] Sent: Thursday, August 24, 2017 7:45 AM To: Adriano Santoni <adriano.sant...@staff.aruba.it>; CA/Browser Forum Public Discussion List <public@cabforum.org>; Jeremy Rowley <jeremy.row...@digicert.com> Subject: RE: [cabfpub] Revocation ballot v2 I think it’s probably cleaner to put a requirement for an email address for problem reports in 1.5.2 where it can have a SHALL. For some CAs it’s going to be the same address as the one that’s already required there. Implied requirements through carefully written definitions are easy to miss. -Tim From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Adriano Santoni via Public Sent: Thursday, August 24, 2017 2:13 AM To: Jeremy Rowley <jeremy.row...@digicert.com <mailto:jeremy.row...@digicert.com> >; CA/Browser Forum Public Discussion List <public@cabforum.org <mailto:public@cabforum.org> > Subject: Re: [cabfpub] Revocation ballot v2 OK. then I agree. Il 24/08/2017 07:44, Jeremy Rowley ha scritto: Under this change, email is not the only way to manage Certificate Problem Reports. The change requires CAs to support at least email, but the CA may support any other methods they want to manage. Regardless of potential spam, requiring CAs to manage one mailing list doesn’t seem unreasonable considering how difficult/annoying other methods are. From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Adriano Santoni via Public Sent: Wednesday, August 23, 2017 11:40 PM To: public@cabforum.org <mailto:public@cabforum.org> Subject: Re: [cabfpub] Revocation ballot v2 The problem I see with mandating an email address as the only way to report a problem to the CA is that mailboxes are subject to spamming. Our certificate problem reporting mailbox is being targeted to spam more and more, lately, and it is not always easy and quick to tell apart real problem reports and spam. Il 24/08/2017 02:45, Gervase Markham via Public ha scritto: On 23/08/17 17:39, Jeremy Rowley via Public wrote: “Certificate Problem Report: A complaint of suspected Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, or inappropriate conduct related to Certificates that is sent to an email address publicly specified in the CA’s repository. “ I think that if we want to mandate that the CA's Problem Reporting Mechanisms include at minimum an email address, we should say that in the relevant section, rather than slip it in here. I would be in support of such a change. :-) We are considering it for Mozilla policy. People currently find it too difficult to send reports to multiple CAs, having to cope with lots of different mechanisms. Gerv _______________________________________________ Public mailing list Public@cabforum.org <mailto:Public@cabforum.org> https://cabforum.org/mailman/listinfo/public <https://scanmail.trustwave.com/?c=4062&d=ne6e2Tm40TveA1JmOQYRaAomMM1rSPVAB19MCH3j3w&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpublic>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public
