(for the avoidance of doubt: posting in a personal capacity)
On 23/11/2018 15:24, Enrico Entschew wrote:
Timeline:
2018-11-12, 10:30 UTC Customer was contacted the first time. Customer runs an
international critical trade platform for emissions. Immediate revocation of
the certificate would cause irreparable harm to the public.
<snip>
2018-11-22, 16:08 UTC The certificate with the serial number 3c 7c fb bf ea 35
a8 96 c6 79 c6 5c 82 ec 40 13 was revoked by customer.
Some questions I have:
1) Don't the BR specify CAs MUST revoke within 24 hours (for some
issues) or 5 days (for others)? This looks like just over 10 days, and
was customer-prompted as opposed to set by the CA, it seems. Am I just
missing the part of the BRs that says ignoring the 5 days is OK if it's
"just" a syntax error?
2) what procedure does D-TRUST follow to ensure adequate revocation
times, and in particular, under what circumstances does it decide that
not revoking until the customer gives an OK is necessary (e.g. how does
it decide what constitutes an "international[ly] critical" site)? Is
this documented, e.g. in CPS or similar? Have auditors signed off on that?
3) can you elaborate on the system being down causing "irreparable
harm"? What would have happened if the cert had just been revoked after
24/120 hours? In this case, the website in question ( www.dehst.de ) has
been broken in Firefox for the past 64 or so hours (ie since about 6pm
UK time on Friday, when I first read your message) because the server
doesn't actually send the full chain of certs for its new certificate.
Given that the server (AFAICT) doesn't staple OCSP responses, I don't
imagine that practical breakage in a web browser would have been worse
if the original cert had been revoked immediately, given the CRL
revocation done last week hasn't appeared in CRLSet/OneCRL either.
~ Gijs
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy