Revocation necessity: subjective or objective

1,241 views
Skip to first unread message

Watson Ladd

unread,
Jun 18, 2024, 6:35:14 PMJun 18
to public
Hello,

In a discussion on Bugzilla we approached the following hypothetical scenario:
1: A CA believes they have miss-issued a certificate
2: They fail to revoke in 5 days
3: They discover that in fact they issued correctly.

My question is simple: is the failure to timely revoke a violation of
the baseline requirements? I believe it is for the following reason. A
CAs past behavior is an indication of the degree future trust that can
be put in it. How it acts in this case is evidence of how it acts with
other mississuance cases. It also seems to add a great deal of moral
luck if the reason there wasn't a problem was unknown to the CA.
Imagine that they thought DNS validation wasn't working properly, but
in fact there had been proper DNS checks working all during that time.
They would be safe by accident. I do see how one could read the BRs
otherwise, but I don't think that's as good a reading.

Sincerely,
Watson Ladd

--
Astra mortemque praestare gradatim

Jeffrey Walton

unread,
Jun 18, 2024, 7:28:59 PMJun 18
to Watson Ladd, public
I think the important part to inflect upon is the CA's belief from
[0-5] days. That's the time the CA and community believed the
certificate was mis-issued, and the revocation should have occured.

If the certificate in question expired on day 6, would that change the
fact it was not revoked within 5 days?

Jeff

Roman Fischer

unread,
Jun 19, 2024, 1:21:49 AMJun 19
to public
Would the situation change if it was

1: A CA suspects they have miss-issued certificates but are not 100% sure about the interpretation of the regulation
2: They ask for community feedback
3: ...
?

Kind regards
Roman
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CACsn0cn-QcPo4QWgZDcmOmCHtCOmchA3wuWb9SXpk1o_Un3eBw%40mail.gmail.com.

Watson Ladd

unread,
Jun 19, 2024, 2:40:09 AMJun 19
to Roman Fischer, public
I'm not sure the community feedback is the relevant part here.

Certainly in a complex situation the CA might be genuinely unsure if
mississuance happened. However it's always safe to revoke and reissue
with a known good procedure. There's a point where this is pointless,
and one where it's necessary, and I'm not going to pretend I know
ahead of time or even afterwards necessarily. But that's why I think
it's important to focus on what the CA believes. We can't reasonably
hold CAs responsible for revoking certs they didn't know were
mississued, unless they really should have. We can hold them
responsible for recovocation they know needs to happen. And I don't
think acquiring that knowledge is necessarily instant (although they
do need to properly investigate).

Asking the community doesn't change that equation.

Sincerely,
Watson Ladd
> To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/ZR0P278MB0170B1AE2121700FAB11F041FACF2%40ZR0P278MB0170.CHEP278.PROD.OUTLOOK.COM.

Roman Fischer

unread,
Jun 19, 2024, 2:56:56 AMJun 19
to public

If reporting a suspected mis-issuance has the effect that revocation is expected, then I fear this will stifle CAs willingness to report. It's the chilling effect that we IMHO already see in current ongoing discussions.

 

I admit that I'm also at a point where I rather keep quiet than voicing my opinion.

 

Rgds

Roman

> 

> --

> You received this message because you are subscribed to the Google Groups "CCADB Public" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.

Mike Shaver

unread,
Jun 19, 2024, 8:32:32 AMJun 19
to public
On Wed, Jun 19, 2024 at 2:56 AM Roman Fischer <roman....@swisssign.com> wrote:

If reporting a suspected mis-issuance has the effect that revocation is expected, then I fear this will stifle CAs willingness to report. It's the chilling effect that we IMHO already see in current ongoing discussions.

 

I admit that I'm also at a point where I rather keep quiet than voicing my opinion.

Apologies, but I think I don’t quite understand what you’re saying here.

What do you think should happen if a CA believes that they have mis-issued certificates, if not revocation?

Are you saying that a CA shouldn’t act on that belief until someone else discovers the issue?

Mike

Roman Fischer

unread,
Jun 19, 2024, 9:16:57 AMJun 19
to public

Again, I'm not a native speaker. I used "suspects", you use "believes". In my non-native-speaking-gut-feeling, the former is less certain than the latter. But I might be wrong of course.

 

There are cases where everything is clear: Somebody reports that a part of a certificate doesn't comply or that a key is compromised or a CAA-record wasn't checked => Revoke.

 

There are also cases where it's not that clear because regulation isn't a mathematical definition and sometime leaves room for interpretation. Now, for one person it might be crystal clear, but for somebody else, there might me need for interpretation / discussion.

 

> Are you saying that a CA shouldn’t act on that belief until someone else discovers the issue?

 

This is exactly the kind of question that is very difficult for me to answer. I never intended to say anything like that. I wanted to point out the chilling effect the current discussions are having.

 

Rgds
Roman

 

From: pub...@ccadb.org <pub...@ccadb.org> On Behalf Of Mike Shaver
Sent: Mittwoch, 19. Juni 2024 14:32
To: public <pub...@ccadb.org>
Subject: Re: Revocation necessity: subjective or objective

 

On Wed, Jun 19, 2024 at 2:56AM Roman Fischer <roman....@swisssign.com> wrote:

--

You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.

Martijn Katerbarg

unread,
Jun 19, 2024, 9:54:14 AMJun 19
to CCADB Public

> Certainly in a complex situation the CA might be genuinely unsure if mississuance happened. However it's always safe to revoke and reissue with a known good procedure.

While I agree with the first part, I don’t agree with that second sentence.

If the situation, or potential issue is complex, there’s also a large chance that the fix is not easy. Think of a situation where the CA would need to make code changes in order to change the behaviour. Or, think of a case where the CA is unsure, yet they’re also unsure about what the right option might be. In such a case, performing a reissue is (a) a serious effort for the CA, when code changes, QA and deployments are involved, and (b) a risk, if in the end it is determined the original behaviour was valid. Perhaps now the reissued certificate is misissued, and thus the CA actually has an incident report to write.

There is something else around revocation timing that we’ve found to be somewhat troubling however.

One of the reasons for revocation in TLS BR Section 4.9.1.1 is “The CA determines or is made aware that any of the information appearing in the Certificate is inaccurate”. This is usually a reason that we connect to Certificate Problem Reports.
At the same time, Section 4.9.5 states “The period from receipt of the Certificate Problem Report or revocation-related notice to published revocation MUST NOT exceed the time frame set forth in Section 4.9.1.1”.

We find that “Determines or is made aware of” should relate to when the CA has completed investigation and determines it is a case of misissuance.

While for most cases this works fine, what if the CA does receive a CPR of which they’re uncertain. Section 4.9.1.1 seems to allow for a discussion after which the CA can still determine that it has been misissued, but the language in Section 4.9.5 would suggest that this is not an option, if that discussion takes more than 5 days (which, when having the discussion in public, can happen).

At the same time, this language does protect us all from allowing a CA to take days if not weeks to determine that something has been misissued.



Op woensdag 19 juni 2024 om 15:16:57 UTC+2 schreef Roman Fischer:

Dimitris Zacharopoulos (HARICA)

unread,
Jun 19, 2024, 10:13:46 AMJun 19
to pub...@ccadb.org

Historically, the interpretation of revocation case 4.9.1.1(12) and
other similar reasons that start with "the CA is made aware" or "the CA
determines", leaves some room for the CA to evaluate inputs before
making a final determination. The community and Root Programs can do
their independent evaluations (or "determinations") but the BRs
currently leave the CA some room to "become aware" or to "determine".
The 5-day revocation clock starts when the CA "determines" or "becomes
aware" which can be after the input of the community or the opinion of
Root Programs.

Again, I'm not judging if this is proper or not, but this is how the
current rules are written.

Dimitris.

Dimitris Zacharopoulos (HARICA)

unread,
Jun 19, 2024, 10:19:07 AMJun 19
to pub...@ccadb.org


On 19/6/2024 5:13 μ.μ., 'Dimitris Zacharopoulos (HARICA)' via CCADB
Public wrote:
>
> Historically, the interpretation of revocation case 4.9.1.1(12) and
> other similar reasons that start with "the CA is made aware" or "the
> CA determines", leaves some room for the CA to evaluate inputs before
> making a final determination. The community and Root Programs can do
> their independent evaluations (or "determinations") but the BRs
> currently leave the CA some room to "become aware" or to "determine".
> The 5-day revocation clock starts when the CA "determines" or "becomes
> aware" which can be after the input of the community or the opinion of
> Root Programs.
>

I saw Martijn's answer after sending mine. My statement about the start
of the 5-day revocation clock still stands, unless triggered by a
Certificate Problem Report (as described in section 4.9.5 of the BRs).

Dimitris.
Reply all
Reply to author
Forward
0 new messages