Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Malware based revocation proposal #10

Closed
wants to merge 11 commits into from
Closed

Malware based revocation proposal #10

Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
ab39ccd
Malware based revocation proposal
XolphinMartijn Jun 29, 2022
c7ed1c1
Further simplify the language
XolphinMartijn Aug 22, 2022
a9b412f
Clarify the use of 7 calendar days
XolphinMartijn Aug 23, 2022
3b17fca
Remove "based on discussions with the CA" as it is already implied
XolphinMartijn Aug 23, 2022
8bd87c3
Use Subscribers Private Key term
XolphinMartijn Aug 23, 2022
90fa38a
Replace believe and aware for clearer requirements
XolphinMartijn Sep 22, 2022
abace6b
Add Discovered the incident for accuracy
XolphinMartijn Sep 26, 2022
8e7e3b4
Clarifications
XolphinMartijn Nov 28, 2022
aec1757
Reference CPR
XolphinMartijn Nov 30, 2022
6f752d7
problem report update
XolphinMartijn Dec 1, 2022
f590ee5
Discussed changes
XolphinMartijn Jan 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Prev Previous commit
Next Next commit
Replace believe and aware for clearer requirements
  • Loading branch information
@XolphinMartijn
XolphinMartijn committed Sep 22, 2022
commit 90fa38ab4dc5e5f9b25fce844b750d693f7256b7
6 changes: 3 additions & 3 deletions docs/CSBR.md
View file
Open in desktop
Expand Up @@ -505,14 +505,14 @@ The CA MUST revoke a Code Signing Certificate within one (1) business day if the

#### 4.9.1.3 Revocation Based on Reported or Detected Compromise or Use in Suspect Code

Except for cases that fall under Section 4.9.1.1, all incidents that lead the CA to believe that the Subscriber's Private Key is compromised or is being used for Suspect Code, CAs SHALL revoke the corresponding Code Signing Certificate in accordance with and within the following maximum time frames. Nothing herein prohibits a CA from revoking a Code Signing Certificate prior to these time frames.
Except for cases that fall under Section 4.9.1.1, if, while investigating a problem report, the CA determines the Subscriber's Private Key is likely compromised or being used for Suspect Code, the CA SHALL revoke the corresponding Code Signing Certificate in accordance with and within the following maximum time frames. Nothing herein prohibits a CA from revoking a Code Signing Certificate prior to these time frames.
XolphinMartijn marked this conversation as resolved.
Show resolved Hide resolved

1. The CA MUST contact the Subscriber within 24 hours after the CA is made aware of the incident.
1. The CA MUST contact the Subscriber within 24 hours after the CA received the initial problem report.
XolphinMartijn marked this conversation as resolved.
Show resolved Hide resolved
2. The CA MUST request the Subscriber send an acknowledgement to the CA within 72 hours of receipt of the request.
XolphinMartijn marked this conversation as resolved.
Show resolved Hide resolved
a. If the Subscriber responds within 72 hours, the CA and Subscriber MAY determine a "reasonable date" to revoke the certificate. The revocation date MUST NOT be more than 7 calendar days after the incident was discovered.
XolphinMartijn marked this conversation as resolved.
Show resolved Hide resolved
XolphinMartijn marked this conversation as resolved.
Show resolved Hide resolved
b. If CA does not receive a response, then the CA MUST revoke the certificate within 24 hours from the end of the response period.
XolphinMartijn marked this conversation as resolved.
Show resolved Hide resolved

A CA revoking a Certificate because the Certificate was associated with signed Suspect Code or other fraudulent or illegal conduct SHOULD provide all relevant information and risk indicators to other CAs or industry groups. The CA SHOULD indicate whether its investigation found that the Suspect Code was a false positive or an inadvertent signing. The CA SHOULD contact the Application Software Suppliers within 24 hours after the CA is made aware of an incident involving use in Suspect Code.
A CA revoking a Certificate because the Certificate was associated with signed Suspect Code or other fraudulent or illegal conduct SHOULD provide all relevant information and risk indicators to other CAs, Application Software Suppliers, or industry groups. The CA SHOULD contact the Application Software Suppliers within 24 hours after the CA received the initial problem report.

#### 4.9.1.4 Revocation of a Subordinate CA Certificate

Expand Down