(In reply to Ryan Sleevi from comment #9)
Jonathan: One last question:
The discussion of "holiday freezes" (or stable periods) is one that has been a frequent topic in the CA community over the past several years. Going forward, there's clear expectations that CAs will take steps to minimize the risk to missed revocation due to these - for example, by improving the tooling, training, and expectations for Subscribers, such that certificate rotation - even in such periods - can be accomplished in a timely fashion.
The expectation is that a CA MUST be able to revoke a certificate during such periods. Ideally, CAs minimize this risk through rigid adherance to the BRs, such as pre-issuance linting, careful reviews of all policy changes, a limmited number of certificate profiles (thus reducing variability and risk), not performing manual operator-approved issuance (e.g. favoring automation), etc.
In such past discussions, steps CAs can take have included highlighting the contractual expectations of the Subscriber Agreement (which is required to disclose the obligation of the CA to revoke) and working to help such customers implement automated solutions that can minimize risk.
What steps has CFCA taken, or is planning, to ensure that future misissuance can still be responded to timely, even if it needs to be replaced during a Stable period?
The definitions of “Holiday Freezes” and “Stable Periods” is actually not same case in China.
Generally, "Holiday Freezes" means that certificate customer want to keep their own system stable, in holiday they may not have enough engineer or resources to handle the system change or deal with the following work load or mistake that may happen. In this case, If CAs like us can improve service for example like "Operation Free - exchange certificate with one click", or even send an engineer (or online service) to customer to ensure 100% problem free, then it's possible to break "Holiday Freezes". What CFCA can provide now is holiday on-site or on-line service, we do have many maintenance engineers at work on holidays to handle related situations. Still it depends on customers’ arrangement.
On the other side “Stable Periods” means the national administration order directly to our customer which is mandatory to all important departments and enterprises(including banks, government departments, electricity, energy source and so on), normally, even we can provide service like "Operation Free - exchange certificate with one click" they still will refuse the suggestion because of the “Stable Periods”.
However, if the certificate is so “wrong” to "damage" real browser user, for example potential risk of fraud or hacking, we will revoke the certificate regardless of "stable period".
(As stated above, only some kind of company like banks or government departments etc. have this “Stable Periods”, normal company only have “Holiday Freezes”, which is possible to negotiate).
As we stated in the case with the Standard Charter Bank, the certificate is used on an internal server to server connection that not even relate to browser nor the public, we understand that if that certificate is placed on a website for public, or even used on internal employee proxy or cases like that, we will revoke the certificate.
In the end, CFCA will keep trying to negotiate with the government agency about the risk of “replacing a certificate” is acceptable during the “Stable Periods” but it's not likely to success in the near future.