On Wed, May 16, 2018 at 4:00 PM, Wayne Thayer via Public < [email protected]> wrote:
> Lat year, Jeremy proposed changes to section 4.9 of the BRs. I'd like to > revive that discussion with the following ballot proposal: > https://github.com/cabforum/documents/compare/master...wthayer:patch-1 > > Summary of Changes: > * The first change creates a tiered timeline for revocations. The most > critical "reasons" still require revocation within 24 hours, but for many > others 24 hours becomes a SHOULD and the CA has 5 days before they MUST > revoke. This was the original motivation for the ballot, due in part to > last year's wave of misissued certs identified by linting tools. > I'm not sure that matches my understanding or the early discussions. In several cases, it was a Subscriber self-own, and the risk that revocation was perceived as having impact to those subscribers. I'm not sympathetic to CAs' linting failures being a reason to extend revocation dates. If a CA fails to abide by the Guidelines, and customers of that CA are affected, they may want to choose CAs that are more carefully and correctly operated. That's not a lack of sympathy - that's a recognition that extensions for CA failure are a perverse incentive to reward failure. I fully acknowledge it's a tension, though, and am simply hesitant to open the door to some gradations of CA screw-ups, while acknowledging the challenges that sites that have not switched to automated solutions face when presented with revocation.
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
