Hi Aaron,
This seems reasonable to me. It might also be worth adding a similar timeline
to 6.1.1.5.(1) so that, under a circumstance in which the Debian-weak-keys repo
is updated, there is some amount of time for CAs to ensure their own systems
are also updated. Since that repo is under the control of the CA/BF, we should
know ahead of time if it’s going to be updated, so maybe it’s not really
necessary, but just a thought.
Cheers,
-Clint
> On May 8, 2024, at 2:15 PM, Aaron Gable via Servercert-wg
> wrote:
>
> Section 6.1.1.3 (4) of the Baseline Requirements (as of Ballot SC-073) says
> "The CA SHALL reject a certificate request if... the CA has previously been
> notified that the Applicant's Private Key has suffered a Key Compromise using
> the CA's procedure for revocation request".
> Section 4.9.1.1 (3) of the Baseline Requirements says "The CA SHALL revoke a
> Certificate within 24 hours... if... the CA obtains evidence that the
> Subscriber's Private Key... suffered a Key Compromise".
>
> Imagine the following hypothetical:
> 1. A CA issues a certificate containing a particular public key.
> 2. The private key corresponding to that public key is compromised, and this
> compromise is reported via the CA's revocation request procedure.
> 3. _Immediately_ thereafter, the CA receives another request for a
> certificate containing the same public key.
>
> Is the CA required to reject the certificate request in Step 3?
>
> Arguments for "yes":
> * By virtue of being notified via the revocation request procedure, the CA
> has been made aware of the compromise, and therefore must reject it.
>
> Arguments for "no":
> * It is obviously impossible for a CA to _immediately_ begin rejecting such
> requests; this is why CAs have a 24-hour timeline for revocation.
> * The relevant text in Section 4.9.1.1 uses the phrase "obtains evidence"
> rather than "made aware", so perhaps the CA is only "made aware" of the key
> compromise somewhere later in the revocation and blocking process.
>
> If I were to propose a ballot which introduces a 24-hour timeline into
> Section 6.1.1.3 (4), would others be willing to endorse?
>
> Thanks,
> Aaron
> ___
> Servercert-wg mailing list
> Servercert-wg@cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
smime.p7s
Description: S/MIME cryptographic signature
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg