Ballot SC006: Revocation Timeline Extension

Ballot overview

• Ballot SC006, Revocation Timeline Extension, was proposed as a Final Maintenance Guideline for the Baseline Requirements.
• The ballot passed.
• Voting by CAs: 23 yes votes, 0 no votes, 0 abstentions.
• Voting by browsers: 5 yes votes, 0 no votes, 0 abstentions.
• The page states quorum was met and the approval requirements were met for both CAs and browsers.

Main changes

• Revises the definition of Key Compromise to mean a private key is compromised if its value has been disclosed to an unauthorized person or an unauthorized person has had access to it.
• Rewrites Section 4.9.1.1 to create a tiered revocation timeline for subscriber certificates.
• Requires revocation within 24 hours for certain cases, including:
  • Subscriber requests revocation in writing
  • Subscriber says the original certificate request was not authorized and does not retroactively grant authorization
  • Evidence of subscriber private key compromise
  • Evidence that validation of domain authorization or control for a FQDN or IP address in the certificate should not be relied upon
• For other listed cases, the CA should revoke within 24 hours and must revoke within 5 days.
• Revises Section 4.9.1.2 so subordinate CA certificates must be revoked within 7 days for listed causes.
• Requires CAs to provide a process for subscribers to request revocation of their own certificates and to maintain a continuous 24x7 ability to accept and respond to revocation requests and certificate problem reports.
• Requires public disclosure of instructions for reporting suspected private key compromise, certificate misuse, fraud, compromise, misuse, inappropriate conduct, or other certificate-related matters, including in CPS section 1.5.2.
• Requires the CA, within 24 hours after receiving a certificate problem report, to investigate and provide a preliminary report to both the subscriber and the reporting entity.
• Requires the CA to work with the subscriber and reporter to establish whether the certificate will be revoked and, if so, the revocation date.
• States that the time from receipt of the problem report or revocation-related notice to published revocation must not exceed the time frame in Section 4.9.1.1.

Dates

• Discussion period: 2018-08-31 20:00 UTC to 2018-09-07 20:00 UTC
• Voting period: 2018-09-07 20:00 UTC to 2018-09-14 20:00 UTC
• The ballot page does not state an IPR end date.
• The ballot page does not state a separate effective date.
• The ballot text includes revocation timelines of 24 hours, 5 days, and 7 days for the applicable certificate types and conditions.

Outcome

• The ballot passed and became normative based on the evidence provided.