Hi Aaron, This seems reasonable to me. It might also be worth adding a similar timeline to 6.1.1.5.(1) so that, under a circumstance in which the Debian-weak-keys repo is updated, there is some amount of time for CAs to ensure their own systems are also updated. Since that repo is under the control of the CA/BF, we should know ahead of time if it’s going to be updated, so maybe it’s not really necessary, but just a thought.
Cheers, -Clint > On May 8, 2024, at 2:15 PM, Aaron Gable via Servercert-wg > <servercert-wg@cabforum.org> wrote: > > Section 6.1.1.3 (4) of the Baseline Requirements (as of Ballot SC-073) says > "The CA SHALL reject a certificate request if... the CA has previously been > notified that the Applicant's Private Key has suffered a Key Compromise using > the CA's procedure for revocation request". > Section 4.9.1.1 (3) of the Baseline Requirements says "The CA SHALL revoke a > Certificate within 24 hours... if... the CA obtains evidence that the > Subscriber's Private Key... suffered a Key Compromise". > > Imagine the following hypothetical: > 1. A CA issues a certificate containing a particular public key. > 2. The private key corresponding to that public key is compromised, and this > compromise is reported via the CA's revocation request procedure. > 3. _Immediately_ thereafter, the CA receives another request for a > certificate containing the same public key. > > Is the CA required to reject the certificate request in Step 3? > > Arguments for "yes": > * By virtue of being notified via the revocation request procedure, the CA > has been made aware of the compromise, and therefore must reject it. > > Arguments for "no": > * It is obviously impossible for a CA to _immediately_ begin rejecting such > requests; this is why CAs have a 24-hour timeline for revocation. > * The relevant text in Section 4.9.1.1 uses the phrase "obtains evidence" > rather than "made aware", so perhaps the CA is only "made aware" of the key > compromise somewhere later in the revocation and blocking process. > > If I were to propose a ballot which introduces a 24-hour timeline into > Section 6.1.1.3 (4), would others be willing to endorse? > > Thanks, > Aaron > _______________________________________________ > Servercert-wg mailing list > Servercert-wg@cabforum.org > https://lists.cabforum.org/mailman/listinfo/servercert-wg
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Servercert-wg mailing list Servercert-wg@cabforum.org https://lists.cabforum.org/mailman/listinfo/servercert-wg