Draft Ballot SC-XX: Improve Certificate Problem Reports and Clarify the Meaning of Revocation #622
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -502,6 +502,10 @@ The script outputs: | |||||
|
|
||||||
| [https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml](https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml) | ||||||
|
|
||||||
| **Revoked**: Effective 2026-05-15, a certificate is considered revoked if: | ||||||
| - if the certificate contains a CRL Distribution Point URI, a CRL containing the certificate serial number is available for consumption by Relying Parties at that URI; and | ||||||
XolphinMartijn marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||||||
| - if the certificate contains an Authority Information Access OCSP URI, an OCSP request to that URI for the certificate serial number results in a response with a `certStatus` value of `revoked`. | ||||||
XolphinMartijn marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||||||
|
|
||||||
| **Root CA**: The top level Certification Authority whose Root Certificate is distributed by Application Software Suppliers and that issues Subordinate CA Certificates. | ||||||
|
|
||||||
| **Root Certificate**: The self-signed Certificate issued by the Root CA to identify itself and to facilitate verification of Certificates issued to its Subordinate CAs. | ||||||
|
|
@@ -1532,18 +1536,48 @@ The Subscriber, RA, or Issuing CA can initiate revocation. Additionally, Subscri | |||||
|
|
||||||
| ### 4.9.3 Procedure for revocation request | ||||||
XolphinMartijn marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
|
||||||
| Prior to 2026-05-15, for Section 4.9.3 of these Requirements, the CA SHALL adhere to these Requirements or Version 2.1.7 of the Baseline Requirements for TLS Server Certificates. Effective 2026-05-15, the CA SHALL adhere to these Requirements. | ||||||
XolphinMartijn marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
XolphinMartijn marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||||||
|
|
||||||
| The CA's Certificate Policy or Certification Practice Statement MUST describe a process for Subscribers to request revocation of their own Certificates. | ||||||
|
|
||||||
| The CA SHALL maintain a continuous 24x7 ability to accept and respond to revocation requests. | ||||||
|
There was a problem hiding this comment. As discussed at the Houston F2F, the 24x7 availability is used in a number of places, but it is not realistic for every CA to have 100% up-time. Should we shift to something like "The CA SHALL maintain a reliable option (>99.9%) to accept and respond to revocation requests." Enforcement would be challenging, but that would only be an issue in really egregious cases which can be addressed via the incident process. There was a problem hiding this comment. I agree that "continuous 24x7" is an impossible standard. However, replacing it with a specific percentage still conflates system uptime with procedural response. I think we should first fix that structural issue by separating the two concepts, and I propose the following change: The separate and more complex topic of defining a specific uptime percentage deserves a full discussion in a self-contained ballot. I believe we should not let that larger debate hold up this important structural improvement. |
||||||
|
|
||||||
| The CA SHALL provide Subscribers, Relying Parties, Application Software Suppliers, and other third parties with clear instructions for reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, inappropriate conduct, or any other matter related to Certificates. The CA SHALL publicly disclose the instructions in Section 1.5.2 of their CPS and SHOULD additionally disclose the instructions through readily accessible online means (e.g. a KB article, dedicated webpage, FAQ). | ||||||
|
There was a problem hiding this comment. I suggest, "The CA SHALL provide Subscribers, Relying Parties, Application Software Suppliers, and other third parties with clear instructions for submitting Certificate Problem Reports," as the last half of the existing sentence simply restates the definition of that defined term.
Member
Author
There was a problem hiding this comment.
Suggested change
Makes sense to me @richardwsmith. I've adapted this to the above |
||||||
|
|
||||||
| Within twenty four (24) hours after receiving a Certificate Problem Report, the CA SHALL investigate the facts and circumstances related to the report and determine if it's "actionable." | ||||||
XolphinMartijn marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||||||
|
|
||||||
| A Certificate Problem Report is considered actionable if it includes: | ||||||
| 1. at least one serial number or hash of a time-valid and unrevoked Certificate issued by the CA; and | ||||||
XolphinMartijn marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
XolphinMartijn marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||||||
| 2. a description of either: | ||||||
XolphinMartijn marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||||||
| - how the Certificate(s) in question violates these Requirements or a CA's own policies; or | ||||||
| - a reason for Certificate revocation (e.g., a demonstration of Key Compromise, or a Subscriber request aligned with [Section 4.9.1](#491-circumstances-for-revocation)). | ||||||
|
|
||||||
| A CA MAY take measures to prevent submission of non-actionable Certificate Problem Reports (e.g., input control validation on a form used to collect Certificate Problem Reports), but MUST be able to receive actionable Certificate Problem Reports. | ||||||
|
|
||||||
|
There was a problem hiding this comment. Add: "In the event the CA receives a report which does NOT meet the above definition of "actionable," and if the reporting party has provided contact details, within 24 hours the CA SHALL respond to the reporting party informing them that the report submitted is not actionable and furnish the reporting party with the above definition of "actionable."
Member
Author
There was a problem hiding this comment. The following language is already added: "Within twenty four (24) hours after determining a Certificate Problem Report is not actionable, the CA MUST provide a report on its findings to the entity who filed the Certificate Problem Report if contact details have been provided and request the information necessary to satisfy the above requirements of an actionable Certificate Problem Report." Does this not clear the same concerns? |
||||||
| Within twenty four (24) hours after determining a Certificate Problem Report is actionable: | ||||||
XolphinMartijn marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||||||
| 1. The CA SHALL provide a report on its findings to the entity who filed the Certificate Problem Report, if contact details have been provided. | ||||||
XolphinMartijn marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
| 2. The CA SHOULD provide a report on its findings to applicable Subscriber(s). | ||||||
| 3. If the CA determines the Certificate Problem Report requires an action of revocation for the Certificate(s) specified within, the CA SHOULD work with the applicable Subscriber to determine the date and time which the CA will revoke the Certificate. The period from the time the Certificate Problem Report was determined actionable to published revocation MUST NOT exceed the time frame set forth in [Section 4.9.1.1](#4911-reasons-for-revoking-a-subscriber-certificate). | ||||||
|
There was a problem hiding this comment. Based on my comments above, I would rephrase this, "The period from the time an actionable Certificate Problem Report was received to published revocation MUST NOT exceed the time frame set forth in Section 4.9.1.1." |
||||||
|
|
||||||
| Within one hundred and twenty (120) hours after determining a Certificate Problem Report is actionable, the CA MUST evaluate all time-valid and unrevoked Certificates issued by the CA to detect additional instances of the non-compliance described in the report. The period from the time the additional affected Certificates were first identified to published revocation MUST NOT exceed the time frame set forth in [Section 4.9.1.1](#4911-reasons-for-revoking-a-subscriber-certificate). | ||||||
XolphinMartijn marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||||||
|
|
||||||
| Within twenty four (24) hours after determining a Certificate Problem Report is not actionable, the CA MUST provide a report on its findings to the entity who filed the Certificate Problem Report and request the information necessary to satisfy the above requirements of an actionable Certificate Problem Report. | ||||||
XolphinMartijn marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||||||
|
|
||||||
| **Note**: If a non-actionable Certificate Problem Report is later amended by the reporter to satisfy the requirements of an actionable report described above, the time of receipt of the requested missing information is the basis for subsequent revocation timelines, if determined necessary. | ||||||
XolphinMartijn marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
|
||||||
| ### 4.9.4 Revocation request grace period | ||||||
|
|
||||||
| No stipulation. | ||||||
|
|
||||||
| ### 4.9.5 Time within which CA must process the revocation request | ||||||
XolphinMartijn marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
|
||||||
| Prior to 2026-05-15, for Section 4.9.5 of these Requirements, the CA SHALL adhere to these Requirements or Version 2.1.7 of the Baseline Requirements for TLS Server Certificates. Effective 2026-05-15, the CA SHALL adhere to these Requirements. | ||||||
XolphinMartijn marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
XolphinMartijn marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||||||
|
|
||||||
| The period from the time from receipt of a revocation request by the Subscriber to published revocation MUST NOT exceed the time frame set forth in [Section 4.9.1.1](#4911-reasons-for-revoking-a-subscriber-certificate). | ||||||
XolphinMartijn marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||||||
|
|
||||||
| The period from the time from determining a Certificate Problem Report is actionable to published revocation MUST NOT exceed the time frame set forth in [Section 4.9.1.1](#4911-reasons-for-revoking-a-subscriber-certificate). | ||||||
XolphinMartijn marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||||||
|
|
||||||
| The date selected by the CA SHOULD consider the following criteria: | ||||||
|
|
||||||
| 1. The nature of the alleged problem (scope, context, severity, magnitude, risk of harm); | ||||||
| 2. The consequences of revocation (direct and collateral impacts to Subscribers and Relying Parties); | ||||||
|
|
@@ -1575,10 +1609,9 @@ CAs issuing CA Certificates: | |||||
| 1. MUST update and publish a new CRL at least every twelve (12) months; | ||||||
| 2. MUST update and publish a new CRL within twenty-four (24) hours after recording a Certificate as revoked. | ||||||
|
|
||||||
| Issuing CAs MUST continue issuing CRLs until one of the following is true: | ||||||
| - all CA Certificates containing the same Subject Public Key are expired or revoked; OR | ||||||
| - the Private Key for the Issuing CA has been destroyed. | ||||||
|
|
||||||
| ### 4.9.8 Maximum latency for CRLs (if applicable) | ||||||
|
|
||||||
|
|
@@ -1630,6 +1663,8 @@ No Stipulation. | |||||
|
|
||||||
| See [Section 4.9.1](#491-circumstances-for-revocation). | ||||||
|
|
||||||
| Effective 2026-05-15, the CA's Certificate Policy or Certification Practice Statement MUST describe the circumstances that necessitate the CA to (1) reject subsequent certificate requests containing the same public key and (2) perform a cascading revocation of all time-valid certificates containing the same public key when the revocation reason of a revocation is "Key Compromise", | ||||||
|
|
||||||
| ### 4.9.13 Circumstances for suspension | ||||||
|
|
||||||
| The Repository MUST NOT include entries that indicate that a Certificate is suspended. | ||||||
|
|
||||||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.