Draft Ballot SC-XX: Improve Certificate Problem Reports and Clarify the Meaning of Revocation #622
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -517,6 +517,10 @@ The script outputs: | |||||
|
|
||||||
| [https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml](https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml) | ||||||
|
|
||||||
| **Revoked**: Effective 2026-09-15, the following conditions must be met for a Certificate to be considered revoked: | ||||||
| - if the certificate contains a CRL Distribution Point URI: a CRL containing the certificate serial number is available for consumption by Relying Parties at that URI. | ||||||
| - if the certificate contains an Authority Information Access OCSP URI: an OCSP request to that URI for the certificate serial number results in a response with a `certStatus` value of `revoked`. | ||||||
|
|
||||||
| **Reverse Zone Domain Name**: the FQDN in the `.arpa` namespace that corresponds to an IP address. This FQDN is constructed by converting the IP address to a sequence of labels followed by the applicable IP Reverse Zone Suffix, as specified in RFC 1035 (for IPv4 addresses) and RFC 3596 (for IPv6 addresses). | ||||||
|
|
||||||
| **Root CA**: The top level Certification Authority whose Root Certificate is distributed by Application Software Suppliers and that issues Subordinate CA Certificates. | ||||||
|
|
@@ -1600,18 +1604,48 @@ The Subscriber, RA, or Issuing CA can initiate revocation. Additionally, Subscri | |||||
|
|
||||||
| ### 4.9.3 Procedure for revocation request | ||||||
|
|
||||||
| Prior to 2026-09-15, for Section 4.9.3 of these Requirements, the CA SHALL adhere to these Requirements or Version 2.2.5 of the Baseline Requirements for TLS Server Certificates. Effective 2026-09-15, the CA SHALL adhere to these Requirements. | ||||||
|
|
||||||
| The CA's Certificate Policy or Certification Practice Statement MUST describe a process for Subscribers to request revocation of their own Certificates. | ||||||
|
|
||||||
| The CA SHALL maintain a continuous 24x7 ability to accept and respond to revocation requests. | ||||||
|
There was a problem hiding this comment. As discussed at the Houston F2F, the 24x7 availability is used in a number of places, but it is not realistic for every CA to have 100% up-time. Should we shift to something like "The CA SHALL maintain a reliable option (>99.9%) to accept and respond to revocation requests." Enforcement would be challenging, but that would only be an issue in really egregious cases which can be addressed via the incident process. There was a problem hiding this comment. I agree that "continuous 24x7" is an impossible standard. However, replacing it with a specific percentage still conflates system uptime with procedural response. I think we should first fix that structural issue by separating the two concepts, and I propose the following change: The separate and more complex topic of defining a specific uptime percentage deserves a full discussion in a self-contained ballot. I believe we should not let that larger debate hold up this important structural improvement. |
||||||
|
|
||||||
| The CA SHALL provide Subscribers, Relying Parties, Application Software Suppliers, and other third parties with clear instructions for reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, inappropriate conduct, or any other matter related to Certificates. The CA SHALL publicly disclose the instructions in Section 1.5.2 of their CPS and SHOULD additionally disclose the instructions through readily accessible online means (e.g. a KB article, dedicated webpage, FAQ). | ||||||
|
There was a problem hiding this comment. I suggest, "The CA SHALL provide Subscribers, Relying Parties, Application Software Suppliers, and other third parties with clear instructions for submitting Certificate Problem Reports," as the last half of the existing sentence simply restates the definition of that defined term.
Member
Author
There was a problem hiding this comment.
Suggested change
Makes sense to me @richardwsmith. I've adapted this to the above |
||||||
|
|
||||||
| Within twenty-four (24) hours after receiving a Certificate Problem Report, the CA SHALL investigate the facts and circumstances related to the report and determine if it's "actionable." | ||||||
|
|
||||||
| A Certificate Problem Report is considered actionable if it includes: | ||||||
| 1. at least one valid identifier for a time-valid and unrevoked Certificate issued by the CA. The CA MUST support the use of a serial number and SHOULD support the use of a SHA-256 fingerprint of the Certificate and/or Precertificate as an identifier; and" | ||||||
| 2. information about either: | ||||||
| - how the Certificate(s) in question violates these Requirements or a CA's own policies; or | ||||||
| - a reason for Certificate revocation (e.g., a demonstration of Key Compromise, or a Subscriber request aligned with [Section 4.9.1](#491-circumstances-for-revocation)). | ||||||
|
|
||||||
| A CA MAY take measures to prevent submission of non-actionable Certificate Problem Reports (e.g., input control validation on a form used to collect Certificate Problem Reports), but MUST be able to receive actionable Certificate Problem Reports. | ||||||
|
|
||||||
|
There was a problem hiding this comment. Add: "In the event the CA receives a report which does NOT meet the above definition of "actionable," and if the reporting party has provided contact details, within 24 hours the CA SHALL respond to the reporting party informing them that the report submitted is not actionable and furnish the reporting party with the above definition of "actionable."
Member
Author
There was a problem hiding this comment. The following language is already added: "Within twenty four (24) hours after determining a Certificate Problem Report is not actionable, the CA MUST provide a report on its findings to the entity who filed the Certificate Problem Report if contact details have been provided and request the information necessary to satisfy the above requirements of an actionable Certificate Problem Report." Does this not clear the same concerns? |
||||||
| Within twenty-four (24) hours after determining a Certificate Problem Report is actionable: | ||||||
|
There was a problem hiding this comment. I suggest, "Within 24 hours of receiving an actionable Certificate Problem Report:"
Member
Author
There was a problem hiding this comment. I'd prefer to keep the proposed language. An initial email may not be actionable, but a followup email from the same reporter in the same report/case, may make an existing report actionable. The current language avoids any ambiguity of when it became actionable, and what its timeline is. There was a problem hiding this comment. It's the "determining" that makes this ambiguous. It presumes you know my thoughts. How long does it take me to make that determination? You can't say because you don't know what my logic process is and you can't read my mind. The definition above this however lays out very clearly what constitutes "actionable" so keying on the reception of an "actionable" report based on the timestamp of that report removes all ambiguity. If the initial report doesn't meet the definition, it doesn't start the clock ticking, but the clock should start ticking when an actionable report is received based on the definition, not my determination of it. There was a problem hiding this comment. FWIW, I agree with richard that there is ambiguity. |
||||||
| 1. The CA SHALL provide a report on its findings to the entity who filed the Certificate Problem Report, if contact details have been provided. | ||||||
XolphinMartijn marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
| 2. The CA SHOULD provide a report on its findings to applicable Subscriber(s). | ||||||
| 3. If the CA determines the Certificate Problem Report requires an action of revocation for the Certificate(s) specified within, the CA SHOULD work with the applicable Subscriber to determine the date and time which the CA will revoke the Certificate. The period from the time the Certificate Problem Report was determined actionable to published revocation MUST NOT exceed the time frame set forth in [Section 4.9.1.1](#4911-reasons-for-revoking-a-subscriber-certificate). | ||||||
|
There was a problem hiding this comment. Based on my comments above, I would rephrase this, "The period from the time an actionable Certificate Problem Report was received to published revocation MUST NOT exceed the time frame set forth in Section 4.9.1.1." |
||||||
|
|
||||||
| Within one hundred twenty (120) hours after determining a Certificate Problem Report is actionable, the CA MUST evaluate all time-valid and unrevoked Certificates issued by the CA to detect additional instances of the non-compliance described in the report. The period from the time the additional affected Certificates were first identified to published revocation MUST NOT exceed the time frame set forth in [Section 4.9.1.1](#4911-reasons-for-revoking-a-subscriber-certificate). | ||||||
|
There was a problem hiding this comment. Similar to above, change to "...after receiving an actionable Certificate Problem Report," |
||||||
|
|
||||||
| Within twenty four (24) hours after determining a Certificate Problem Report is not actionable, the CA MUST provide a report on its findings to the entity who filed the Certificate Problem Report if contact details have been provided and request the information necessary to satisfy the above requirements of an actionable Certificate Problem Report. | ||||||
|
There was a problem hiding this comment. If you move this up directly below the definition of actionable the logic follows more closely and the times become based on when the actionable report is received rather than when the CA "determines" the report is actionable. "Determines" is hand-wavy and prone to possible abuse. |
||||||
|
|
||||||
| **Note**: If a non-actionable Certificate Problem Report is later amended by the reporter to satisfy the requirements of an actionable report described above, the time of receipt of the requested missing information is the basis for subsequent revocation timelines, if determined necessary. | ||||||
XolphinMartijn marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
|
||||||
| ### 4.9.4 Revocation request grace period | ||||||
|
|
||||||
| No stipulation. | ||||||
|
|
||||||
| ### 4.9.5 Time within which CA must process the revocation request | ||||||
XolphinMartijn marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
|
||||||
| Prior to 2026-09-15, for Section 4.9.5 of these Requirements, the CA SHALL adhere to these Requirements or Version 2.2.5 of the Baseline Requirements for TLS Server Certificates. Effective 2026-09-15, the CA SHALL adhere to these Requirements. | ||||||
|
|
||||||
| The period between receipt of a revocation request from the Subscriber and published revocation MUST NOT exceed the time frame set forth in [Section 4.9.1.1](#4911-reasons-for-revoking-a-subscriber-certificate). If the request is not authenticated upon receipt, the CA SHALL within 24 hours of receipt work with the requester to authenticate the request, and the period listed above will be measured from the time of authentication. | ||||||
|
|
||||||
| The period between the determination that a Certificate Problem Report is actionable and published revocation MUST NOT exceed the time frame set forth in [Section 4.9.1.1](#4911-reasons-for-revoking-a-subscriber-certificate). | ||||||
|
|
||||||
| The date selected by the CA SHOULD consider the following criteria: | ||||||
|
|
||||||
| 1. The nature of the alleged problem (scope, context, severity, magnitude, risk of harm); | ||||||
| 2. The consequences of revocation (direct and collateral impacts to Subscribers and Relying Parties); | ||||||
|
|
@@ -1643,10 +1677,9 @@ CAs issuing CA Certificates: | |||||
| 1. MUST update and publish a new CRL at least every twelve (12) months; | ||||||
| 2. MUST update and publish a new CRL within twenty-four (24) hours after recording a Certificate as revoked. | ||||||
|
|
||||||
| Issuing CAs MUST continue issuing CRLs until one of the following is true: | ||||||
| - all CA Certificates containing the same Subject Public Key are expired or revoked; OR | ||||||
| - the Private Key for the Issuing CA has been destroyed. | ||||||
|
|
||||||
| ### 4.9.8 Maximum latency for CRLs (if applicable) | ||||||
|
|
||||||
|
|
@@ -1698,6 +1731,8 @@ No Stipulation. | |||||
|
|
||||||
| See [Section 4.9.1](#491-circumstances-for-revocation). | ||||||
|
|
||||||
| Effective 2026-09-15, the CA's Certificate Policy or Certification Practice Statement MUST describe the circumstances that necessitate the CA to (1) reject subsequent certificate requests containing a known compromised public key and (2) perform a cascading revocation of all time-valid certificates containing the same compromised public key when the revocation reason of a revocation is "Key Compromise", | ||||||
|
Member
There was a problem hiding this comment. If the intent of using "time-valid" is to require updating the revocation reason for certificates that were previously revoked for any other reason, then section 7.2.2 should be updated to change the SHOULD to a MUST for updating the reason code to If that's not the intent, then I agree with @aww-aww that "active" is better here. |
||||||
|
|
||||||
| ### 4.9.13 Circumstances for suspension | ||||||
|
|
||||||
| The Repository MUST NOT include entries that indicate that a Certificate is suspended. | ||||||
|
|
||||||
Uh oh!
There was an error while loading. Please reload this page.