My understanding was that a delayed revocation incident was to include per-subscriber detail as to specifically why each subscriber could not (rather than “would rather not”) have their certificates revoked on the appropriate timeline. Is that not the case? I don’t see such detail here.
More generally, I feel that if a CA is going to be “unable” to revoke certificates appropriately because they are in certain industries, then the CA should not be issuing certificates to subscribers in those industries. If they cannot operate within the bounds of WebPKI’s requirements, then they should look outside WebPKI for their authentication needs.
Questions for Hongkong Post CA:
- when certificates were issued to these subscribers, was Hongkong Post CA aware of the BR requirement that misissued certificates needed to be revoked within 24 hours (limit 5 days)?
- when certificates were issued to these subscribers, was Hongkong Post CA aware that these subscribers were planning to deploy those certificates to services for which operational disruption could lead to “substantial cumulative impacts on the sustainable delivery of critical e-services by our government subscribers”?
- if the answers to those questions are “yes”, then why did Hongkong Post CA issue the certificates without assurances that the subscribers would be able to appropriately react to the specified timeline for revocation?
- what does Hongkong Post CA communicate to prospective subscribers about the revocation requirements that Hongkong Post CA has agreed to uphold?
- what steps is Hongkong Post CA taking to ensure that no further certificates are issued (including renewal) to subscribers whose limitations would lead Hongkong Post CA to delay revocation in any circumstance in the future?
The root cause section says
> In response to this certificate problem, our top priority is to promptly reach out to our major customers, followed by the other affected customers, to discuss the potential impact on their websites and online services.
which I think is worrying. A CA’s top priority, upon discovering that they have misissued certificates, should be to ensure that those certificates are revoked promptly to undo the damage (large or small) that said certs do to WebPKI’s integrity.
Bug 1887888 Comment 7 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
My understanding was that a delayed revocation incident was to include per-subscriber detail as to specifically why each subscriber could not (rather than “would rather not”) have their certificates revoked on the appropriate timeline. Is that not the case? I don’t see such detail here. It took almost two months for the last of these certificates to be revoked. Were those subscribers prioritizing the work? Weekend shifts or paying for overtime? Would they have been out of service for *eight weeks* if their private key had been compromised and OneCRL had blocked the certificates?
More generally, I feel that if a CA is going to be “unable” to revoke certificates appropriately because they are in certain industries, then the CA should not be issuing certificates to subscribers in those industries. If they cannot operate within the bounds of WebPKI’s requirements, then they should look outside WebPKI for their authentication needs.
Questions for Hongkong Post CA:
- when certificates were issued to these subscribers, was Hongkong Post CA aware of the BR requirement that misissued certificates needed to be revoked within 24 hours (limit 5 days)?
- when certificates were issued to these subscribers, was Hongkong Post CA aware that these subscribers were planning to deploy those certificates to services for which operational disruption could lead to “substantial cumulative impacts on the sustainable delivery of critical e-services by our government subscribers”?
- if the answers to those questions are “yes”, then why did Hongkong Post CA issue the certificates without assurances that the subscribers would be able to appropriately react to the specified timeline for revocation?
- what does Hongkong Post CA communicate to prospective subscribers about the revocation requirements that Hongkong Post CA has agreed to uphold?
- what steps is Hongkong Post CA taking to ensure that no further certificates are issued (including renewal) to subscribers whose limitations would lead Hongkong Post CA to delay revocation in any circumstance in the future?
The root cause section says
> In response to this certificate problem, our top priority is to promptly reach out to our major customers, followed by the other affected customers, to discuss the potential impact on their websites and online services.
which I think is worrying. A CA’s top priority, upon discovering that they have misissued certificates, should be to ensure that those certificates are revoked promptly to undo the damage (large or small) that said certs do to WebPKI’s integrity.