If reporting a suspected mis-issuance has the effect that revocation is expected, then I fear this will stifle CAs willingness to report. It's the chilling effect that we IMHO already see in current ongoing discussions. ☹
I admit that I'm also at a point where I rather keep quiet than voicing my opinion.
Rgds
Roman
>
> --
> You received this message because you are subscribed to the Google Groups "CCADB Public" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
If reporting a suspected mis-issuance has the effect that revocation is expected, then I fear this will stifle CAs willingness to report. It's the chilling effect that we IMHO already see in current ongoing discussions. ☹
I admit that I'm also at a point where I rather keep quiet than voicing my opinion.
Again, I'm not a native speaker. I used "suspects", you use "believes". In my non-native-speaking-gut-feeling, the former is less certain than the latter. But I might be wrong of course.
There are cases where everything is clear: Somebody reports that a part of a certificate doesn't comply or that a key is compromised or a CAA-record wasn't checked => Revoke.
There are also cases where it's not that clear because regulation isn't a mathematical definition and sometime leaves room for interpretation. Now, for one person it might be crystal clear, but for somebody else, there might me need for interpretation / discussion.
> Are you saying that a CA shouldn’t act on that belief until someone else discovers the issue?
This is exactly the kind of question that is very difficult for me to answer. I never intended to say anything like that. I wanted to point out the chilling effect the current discussions are having.
Rgds
Roman
From: pub...@ccadb.org <pub...@ccadb.org>
On Behalf Of Mike Shaver
Sent: Mittwoch, 19. Juni 2024 14:32
To: public <pub...@ccadb.org>
Subject: Re: Revocation necessity: subjective or objective
On Wed, Jun 19, 2024 at 2:56 AM Roman Fischer <roman....@swisssign.com> wrote:
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CADQzZqtviFH_zcn16QXg1We%3Dx40DFgbBo8_rY5KA5b4WgVKSEQ%40mail.gmail.com.
> Certainly in a complex situation the CA might be genuinely unsure if mississuance happened. However it's always safe to revoke and reissue with a known good procedure.
While I agree with the first part, I don’t agree with that second sentence.
If the situation, or potential issue is complex, there’s also a large chance that the fix is not easy. Think of a situation where the CA would need to make code changes in order to change the behaviour. Or, think of a case where the CA is unsure, yet they’re also unsure about what the right option might be. In such a case, performing a reissue is (a) a serious effort for the CA, when code changes, QA and deployments are involved, and (b) a risk, if in the end it is determined the original behaviour was valid. Perhaps now the reissued certificate is misissued, and thus the CA actually has an incident report to write.
There is something else around revocation timing that we’ve found to be somewhat troubling however.
One of the reasons for revocation in TLS BR Section 4.9.1.1
is “The CA determines or is made aware that any of the information appearing in
the Certificate is inaccurate”. This is usually a reason that we connect to
Certificate Problem Reports.
At the same time, Section 4.9.5 states “The period from receipt of the
Certificate Problem Report or revocation-related notice to published revocation
MUST NOT exceed the time frame set forth in Section 4.9.1.1”.
We find that “Determines or is made aware of” should relate to when the CA has completed investigation and determines it is a case of misissuance.
While for most cases this works fine, what if the CA does receive a CPR of which they’re uncertain. Section 4.9.1.1 seems to allow for a discussion after which the CA can still determine that it has been misissued, but the language in Section 4.9.5 would suggest that this is not an option, if that discussion takes more than 5 days (which, when having the discussion in public, can happen).
At the same time, this language does protect us all from allowing a CA to take days if not weeks to determine that something has been misissued.