On Wed, May 16, 2018 at 1:19 PM Ryan Sleevi <[email protected]> wrote:
> > On Wed, May 16, 2018 at 4:00 PM, Wayne Thayer via Public < > [email protected]> wrote: > >> Lat year, Jeremy proposed changes to section 4.9 of the BRs. I'd like to >> revive that discussion with the following ballot proposal: >> https://github.com/cabforum/documents/compare/master...wthayer:patch-1 >> >> Summary of Changes: >> * The first change creates a tiered timeline for revocations. The most >> critical "reasons" still require revocation within 24 hours, but for many >> others 24 hours becomes a SHOULD and the CA has 5 days before they MUST >> revoke. This was the original motivation for the ballot, due in part to >> last year's wave of misissued certs identified by linting tools. >> > > I'm not sure that matches my understanding or the early discussions. In > several cases, it was a Subscriber self-own, and the risk that revocation > was perceived as having impact to those subscribers. > > > That's fair. I'm unclear on the meaning of "Subscriber self-own", but agree that the concern was the impact a rushed revocation often has on the Subscriber and their website. > > I'm not sympathetic to CAs' linting failures being a reason to extend > revocation dates. If a CA fails to abide by the Guidelines, and customers > of that CA are affected, they may want to choose CAs that are more > carefully and correctly operated. That's not a lack of sympathy - that's a > recognition that extensions for CA failure are a perverse incentive to > reward failure. > > I fully acknowledge it's a tension, though, and am simply hesitant to open > the door to some gradations of CA screw-ups, while acknowledging the > challenges that sites that have not switched to automated solutions face > when presented with revocation. > >
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
