Revocation necessity: subjective or objective
Watson Ladd
In a discussion on Bugzilla we approached the following hypothetical scenario:
1: A CA believes they have miss-issued a certificate
2: They fail to revoke in 5 days
3: They discover that in fact they issued correctly.
My question is simple: is the failure to timely revoke a violation of
the baseline requirements? I believe it is for the following reason. A
CAs past behavior is an indication of the degree future trust that can
be put in it. How it acts in this case is evidence of how it acts with
other mississuance cases. It also seems to add a great deal of moral
luck if the reason there wasn't a problem was unknown to the CA.
Imagine that they thought DNS validation wasn't working properly, but
in fact there had been proper DNS checks working all during that time.
They would be safe by accident. I do see how one could read the BRs
otherwise, but I don't think that's as good a reading.
Sincerely,
Watson Ladd
--
Astra mortemque praestare gradatim
Jeffrey Walton
[0-5] days. That's the time the CA and community believed the
certificate was mis-issued, and the revocation should have occured.
If the certificate in question expired on day 6, would that change the
fact it was not revoked within 5 days?
Jeff
Roman Fischer
1: A CA suspects they have miss-issued certificates but are not 100% sure about the interpretation of the regulation
2: They ask for community feedback
3: ...
?
Kind regards
Roman
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CACsn0cn-QcPo4QWgZDcmOmCHtCOmchA3wuWb9SXpk1o_Un3eBw%40mail.gmail.com.
Watson Ladd
Certainly in a complex situation the CA might be genuinely unsure if
mississuance happened. However it's always safe to revoke and reissue
with a known good procedure. There's a point where this is pointless,
and one where it's necessary, and I'm not going to pretend I know
ahead of time or even afterwards necessarily. But that's why I think
it's important to focus on what the CA believes. We can't reasonably
hold CAs responsible for revoking certs they didn't know were
mississued, unless they really should have. We can hold them
responsible for recovocation they know needs to happen. And I don't
think acquiring that knowledge is necessarily instant (although they
do need to properly investigate).
Asking the community doesn't change that equation.
Sincerely,
Watson Ladd
Roman Fischer
If reporting a suspected mis-issuance has the effect that revocation is expected, then I fear this will stifle CAs willingness to report. It's the chilling effect that we IMHO already see in current ongoing discussions. ☹
I admit that I'm also at a point where I rather keep quiet than voicing my opinion.
Rgds
Roman
>
> --
> You received this message because you are subscribed to the Google Groups "CCADB Public" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
Mike Shaver
If reporting a suspected mis-issuance has the effect that revocation is expected, then I fear this will stifle CAs willingness to report. It's the chilling effect that we IMHO already see in current ongoing discussions. ☹
I admit that I'm also at a point where I rather keep quiet than voicing my opinion.
Roman Fischer
Again, I'm not a native speaker. I used "suspects", you use "believes". In my non-native-speaking-gut-feeling, the former is less certain than the latter. But I might be wrong of course.
There are cases where everything is clear: Somebody reports that a part of a certificate doesn't comply or that a key is compromised or a CAA-record wasn't checked => Revoke.
There are also cases where it's not that clear because regulation isn't a mathematical definition and sometime leaves room for interpretation. Now, for one person it might be crystal clear, but for somebody else, there might me need for interpretation / discussion.
> Are you saying that a CA shouldn’t act on that belief until someone else discovers the issue?
This is exactly the kind of question that is very difficult for me to answer. I never intended to say anything like that. I wanted to point out the chilling effect the current discussions are having.
Rgds
Roman
From: pub...@ccadb.org <pub...@ccadb.org>
On Behalf Of Mike Shaver
Sent: Mittwoch, 19. Juni 2024 14:32
To: public <pub...@ccadb.org>
Subject: Re: Revocation necessity: subjective or objective
On Wed, Jun 19, 2024 at 2:56 AM Roman Fischer <roman....@swisssign.com> wrote:
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CADQzZqtviFH_zcn16QXg1We%3Dx40DFgbBo8_rY5KA5b4WgVKSEQ%40mail.gmail.com.
Martijn Katerbarg
> Certainly in a complex situation the CA might be genuinely unsure if mississuance happened. However it's always safe to revoke and reissue with a known good procedure.
While I agree with the first part, I don’t agree with that second sentence.
If the situation, or potential issue is complex, there’s also a large chance that the fix is not easy. Think of a situation where the CA would need to make code changes in order to change the behaviour. Or, think of a case where the CA is unsure, yet they’re also unsure about what the right option might be. In such a case, performing a reissue is (a) a serious effort for the CA, when code changes, QA and deployments are involved, and (b) a risk, if in the end it is determined the original behaviour was valid. Perhaps now the reissued certificate is misissued, and thus the CA actually has an incident report to write.
There is something else around revocation timing that we’ve found to be somewhat troubling however.
One of the reasons for revocation in TLS BR Section 4.9.1.1
is “The CA determines or is made aware that any of the information appearing in
the Certificate is inaccurate”. This is usually a reason that we connect to
Certificate Problem Reports.
At the same time, Section 4.9.5 states “The period from receipt of the
Certificate Problem Report or revocation-related notice to published revocation
MUST NOT exceed the time frame set forth in Section 4.9.1.1”.
We find that “Determines or is made aware of” should relate to when the CA has completed investigation and determines it is a case of misissuance.
While for most cases this works fine, what if the CA does receive a CPR of which they’re uncertain. Section 4.9.1.1 seems to allow for a discussion after which the CA can still determine that it has been misissued, but the language in Section 4.9.5 would suggest that this is not an option, if that discussion takes more than 5 days (which, when having the discussion in public, can happen).
At the same time, this language does protect us all from allowing a CA to take days if not weeks to determine that something has been misissued.
Dimitris Zacharopoulos (HARICA)
Historically, the interpretation of revocation case 4.9.1.1(12) and
other similar reasons that start with "the CA is made aware" or "the CA
determines", leaves some room for the CA to evaluate inputs before
making a final determination. The community and Root Programs can do
their independent evaluations (or "determinations") but the BRs
currently leave the CA some room to "become aware" or to "determine".
The 5-day revocation clock starts when the CA "determines" or "becomes
aware" which can be after the input of the community or the opinion of
Root Programs.
Again, I'm not judging if this is proper or not, but this is how the
current rules are written.
Dimitris.
Dimitris Zacharopoulos (HARICA)
On 19/6/2024 5:13 μ.μ., 'Dimitris Zacharopoulos (HARICA)' via CCADB
>
> Historically, the interpretation of revocation case 4.9.1.1(12) and
> other similar reasons that start with "the CA is made aware" or "the
> CA determines", leaves some room for the CA to evaluate inputs before
> making a final determination. The community and Root Programs can do
> their independent evaluations (or "determinations") but the BRs
> currently leave the CA some room to "become aware" or to "determine".
> The 5-day revocation clock starts when the CA "determines" or "becomes
> aware" which can be after the input of the community or the opinion of
> Root Programs.
>
of the 5-day revocation clock still stands, unless triggered by a
Certificate Problem Report (as described in section 4.9.5 of the BRs).
Dimitris.