Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Malware based revocation proposal #10

Closed
wants to merge 11 commits into from
Closed

Malware based revocation proposal #10

Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
ab39ccd
Malware based revocation proposal
XolphinMartijn Jun 29, 2022
c7ed1c1
Further simplify the language
XolphinMartijn Aug 22, 2022
a9b412f
Clarify the use of 7 calendar days
XolphinMartijn Aug 23, 2022
3b17fca
Remove "based on discussions with the CA" as it is already implied
XolphinMartijn Aug 23, 2022
8bd87c3
Use Subscribers Private Key term
XolphinMartijn Aug 23, 2022
90fa38a
Replace believe and aware for clearer requirements
XolphinMartijn Sep 22, 2022
abace6b
Add Discovered the incident for accuracy
XolphinMartijn Sep 26, 2022
8e7e3b4
Clarifications
XolphinMartijn Nov 28, 2022
aec1757
Reference CPR
XolphinMartijn Nov 30, 2022
6f752d7
problem report update
XolphinMartijn Dec 1, 2022
f590ee5
Discussed changes
XolphinMartijn Jan 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Prev Previous commit
Next Next commit
Clarifications
  • Loading branch information
@XolphinMartijn
XolphinMartijn committed Nov 28, 2022
commit 8e7e3b4e57960994edea267f0e753358aad99574
8 changes: 4 additions & 4 deletions docs/CSBR.md
View file
Open in desktop
Expand Up @@ -505,14 +505,14 @@ The CA MUST revoke a Code Signing Certificate within one (1) business day if the

#### 4.9.1.3 Revocation Based on Reported or Detected Compromise or Use in Suspect Code

Except for cases that fall under Section 4.9.1.1, if, while investigating a problem report, the CA determines the Subscriber's Private Key is likely compromised or being used for Suspect Code, the CA SHALL revoke the corresponding Code Signing Certificate in accordance with and within the following maximum time frames. Nothing herein prohibits a CA from revoking a Code Signing Certificate prior to these time frames.
Except for cases that fall under Section 4.9.1.1, if, while investigating a problem report, the CA determines the Subscriber's Private Key is compromised or likely being used for Suspect Code, the CA SHALL revoke the corresponding Code Signing Certificate in accordance with and within the following maximum time frames. Nothing herein prohibits a CA from revoking a Code Signing Certificate prior to these time frames.

1. The CA MUST contact the Subscriber within 24 hours after the CA received the initial problem report or discovered the incident.
2. The CA MUST request the Subscriber send an acknowledgement to the CA within 72 hours of receipt of the request.
1. The CA MUST contact the Subscriber within 24 hours after the CA received the Certificate Problem Report and request acknowledgement of receipt.
2. The CA MUST request the Subscriber to respond with an acknowledgement to the CA within 72 hours of the CA sending the request.
a. If the Subscriber responds within 72 hours, the CA and Subscriber MAY determine a "reasonable date" to revoke the certificate. The revocation date MUST NOT be more than 7 calendar days after the incident was discovered.
XolphinMartijn marked this conversation as resolved.
Show resolved Hide resolved
XolphinMartijn marked this conversation as resolved.
Show resolved Hide resolved
b. If CA does not receive a response, then the CA MUST revoke the certificate within 24 hours from the end of the response period.
XolphinMartijn marked this conversation as resolved.
Show resolved Hide resolved

A CA revoking a Certificate because the Certificate was associated with signed Suspect Code or other fraudulent or illegal conduct SHOULD provide all relevant information and risk indicators to other CAs, Application Software Suppliers, or industry groups. The CA SHOULD contact the Application Software Suppliers within 24 hours after the CA received the initial problem report or discovered the incident.
A CA revoking a Certificate because the Certificate was associated with signed Suspect Code or other fraudulent or illegal conduct SHOULD provide all relevant information and risk indicators to other CAs, Application Software Suppliers, or industry groups. The CA SHOULD contact the Application Software Suppliers within 24 hours after the CA received the Certificate Problem Report.

#### 4.9.1.4 Revocation of a Subordinate CA Certificate

Expand Down