On Mon, Aug 20, 2018 at 1:43 PM Doug Beattie
wrote:
> Tim,
>
>
>
> I agree that Vulnerability is different from key compromise and the
> actions we take should reflect that and I think we should try to keep 12
> and 13 type events in the 5-day list.
>
>
>
> Is our strategy to have
On Mon, Aug 20, 2018 at 9:17 AM Doug Beattie via Servercert-wg <
servercert...@cabforum.org> wrote:
> We’re having a hard time determining the differences between the following:
>
>
>
> The CA SHALL revoke a Certificate within 24 hours if:
>
> 3. The CA obtains evidence that the Subscriber's
Tim,
I agree that Vulnerability is different from key compromise and the actions we
take should reflect that and I think we should try to keep 12 and 13 type
events in the 5-day list.
Is our strategy to have vulnerabilities fall into the 5 day list and exploited
vulnerabilities fall
Vulnerability is different from key compromise. Replacing all the heartbleed
certificates within 24 hours would have been a huge fire drill. It’s important
to get them replaced as quickly as possible, but mandatory revocations within
24 hours is going to make things worse, not better.