On Wed, Aug 29, 2018 at 7:33 AM Bruce Morton < bruce.mor...@entrustdatacard.com> wrote:
> Works for me. > > Bruce. > > On Aug 29, 2018, at 10:29 AM, Ryan Sleevi <sle...@google.com> wrote: > > Just to confirm: Your concern is about the CA feeling that the evidence > does not meet any of the requirements to revoke, and wanting it to be clear > that that is a valid outcome of a problem report, correct? > > The problem with the suggested wording (and perhaps implicit in the > existing wording) is that it suggests that the period to "work with the > Subscriber and any entity" is unbounded, and once a determination is made, > then it must be within the bounds of 4.9.1.1's time period. That is, say, > 24 hours + as much "work with" time as you want. This is because the > modified wording seemingly attaches the "which MUST not" to the date in > which the CA will revoke, rather than the overall process. > > The CA SHALL work with the Subscriber and any entity reporting the > Certificate Problem Report or other revocation-related notice to establish > whether or not the certificate will be revoked, and if so, a date which the > CA will revoke the certificate. The period from report to published > revocation MUST NOT exceed the time frame set forth in Section 4.9.1.1. > > > Does "report" here mean the preliminary report on its findings, or the Certificate Problem Report? I am happy to accept this change once that is clarified. > > Does that work for you? > > On Wed, Aug 29, 2018 at 10:16 AM Bruce Morton via Servercert-wg < > servercert...@cabforum.org> wrote: > >> I am concerned with this statement, “the CA SHALL work with the >> Subscriber and any entity reporting the Certificate Problem Report or other >> revocation-related notice to establish a date when the CA will revoke the >> Certificate which MUST not exceed the time frame set forth in Section >> 4.9.1.1.” >> >> >> >> This statement appears to assume that the certificate will be revoked. I >> assume that the investigation may conclude that the certificate will not be >> revoked. As such, could we change the statement to say “the CA SHALL work >> with the Subscriber and any entity reporting the Certificate Problem Report >> or other revocation-related notice to establish whether or not the >> certificate will be revoked, and if so, a date when the CA will revoke the >> Certificate which MUST not exceed the time frame set forth in Section >> 4.9.1.1.” >> >> >> >> Thanks, Bruce. >> >
_______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public