Ballot SC-089: Mass Revocation Planning

Ballot SC-089 proposes requiring all CAs to create, maintain, and test a Mass Revocation Plan, aligning with Mozilla’s Root Program. Plans must be included in CPSes by December 1, 2025

Ballot SC-089: Mass Revocation Planning is under discussion in CA/B Forum, currently under discussion in the CA/B Forum, proposes adding a new section to the TLS Baseline Requirements to mandate that Certification Authorities (CAs) create, maintain, and annually test a Mass Revocation Plan. This aligns with existing Mozilla Root Program requirements and outlines minimum standards, such as activation triggers, defined responsibilities, communication strategies, and continuous improvement based on testing. CAs must include this plan in their CPS by December 1, 2025. The ballot was proposed by Mozilla and supported by D-Trust (CAs) and OISTE (CAs). 

 

Current Status: Discussion Period Ongoing  

 

What’s Being Proposed 

The current Baseline Requirements (Version 2.1.5), section 5.7.1, require CAs to have an Incident Response Plan and a Disaster Recovery Plan. 

A new proposal introduces section 5.7.1.2 – Mass Revocation Plans, requiring CAs to prepare for large-scale certificate revocation events. 

 

CAs must:

  • Develop and maintain a mass revocation plan.
  • State in their CPS that the plan exists and complies with the requirements as of December 1, 2025
  • Test the plan yearly and improve it based on lessons learned.
  • Share the plan with auditors if requested (not public disclosure).
  • Ensure the plan can be part of existing incident or recovery plans, but mass revocation procedures must be clearly identified.
Mass revocation provisions MUST include: 
  1. Activation criteria 
  2. Customer contact information 
  3. Automation points 
  4. Targets and timelines 
  5. Subscriber notification methods 
  6. Role assignments 
  7. Training and education 
  8. Plan testing 
  9. Post-test analysis and update schedule 

 

TuringSign’s CertifyID TLS Manager features a powerful Certificate Revocation Scheduling Tool that helps you stay in control: 
  • Schedule revocations in advance by setting the exact date and time, 
  • Keep your subscribers informed with automatic revocation notifications, 
  • Enhance transparency by displaying the revocation schedule directly on the order detail page. 
  • Easily cancel scheduled revocations if plans change 

Smart, secure, and subscriber-friendly — simplify your certificate lifecycle management today. 

 

Certificate Revocation Scheduling Tool _Banner

To view this discussion visit: https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/4PF07zUiLF4/m/x2i8uY6-BQAJ?utm_medium=email&utm_source=footer&pli=1 

Latest Post

0
    0
    Your Cart
    Your cart is empty

    Trustworthy AI for Better SSL

    TuringSign is actively innovating in cutting-edge AI technology to make traditional SSL workflows quicker, more efficient, more accurate and less costly.

    We apply automation to routine tasks including technical support and high assurance organization validation. This not only saves time but also minimizes errors and ensures faster, more reliable support for TuringSign users. With AI handling routine queries and tasks, your team can focus on more complex issues.

    Compare & Buy

    Automation for Unmatched Speed

    Check mark with hand icon.

    Full Automation

    Fully Automate your SSL Management with ACME

    Analysis analytics column graphic improvement icon.

    Fastest OCSP

    Boost Page Loading Speeds with our Industry-Leading OCSP

    Achievement icon.

    Priority Validation

    Get High-Assurance Certificates Faster than ever

    Compare & Buy

    Best Value Pricing

    Lowest Prices for Best-in-Class Products : Affordability with excellence.

    Standard DV SSL

    DigiCert $64
    Sectigo $99
    GlobalSign $249
    GoDaddy $69
    TuringSign $59

    Wildcard DV SSL

    DigiCert $629
    Sectigo $499
    GlobalSign $849
    GoDaddy $349
    TuringSign $259

    Single OV SSL

    DigiCert $312
    Sectigo $199
    GlobalSign $349
    Entrust $199
    TuringSign $179

    Wildcard OV SSL

    DigiCert $984
    Sectigo $879
    GlobalSign $949
    Entrust $799
    TuringSign $699

    EV SSL

    DigiCert $468
    Sectigo $279
    GlobalSign $599
    GoDaddy $399
    TuringSign $209

    Source: Netcraft SSL Server Survey, August 2024. Provided for reference only. 3rd Party prices may have change.

    Compare & Buy

    Join the Waitlist

    Next Steps

    1. Validate Domain (Authenticate domain depending on which method you choose)

    Check the email that has been sent to you. To confirm the domain ownership rights for your certificate, you need to copy the validation code from the approval email, follow the link in it and paste the validation code into the corresponding field.

    From the email, please click the link to the verification page, Once in the verification page, please enter the code provided in the email for verification.

    That’s it!

    After you have completed verification, a confirmation email will be sent to you. And shortly after, an issue confirmation will be sent to you via email. You can follow the link to the portal to download your newly issued certificate.

    If you have followed the steps above and did not receive an approval email to your mailbox, please click the link to the portal and double check your validation method or contact us for help. 

    Another way of verifying a domain is DNS (TXT record) Verification. If you selected DNS Authentication as your verification method, you will receive a unique TXT record via email consisting of two parts:

    • 1. Name: Name/Host/Alias/TXT: Blank or @
    • 2. Value/Points to/Destination:”wisekey=XXXXXXX”
    • TTL: This is your TTL (Time-To-Live) value. Set it to 3600 or lower.

    Verify by adding a TXT record in your DNS. Please verify and check if you have added the correct record

    Please submit a requestfor support if you face any issues.

    Depending on your DNS provider, You may have to wait for at least an hour for the changes to take effect in the DNS Servers. You will be notified via email when the domain is verified.

    The third method of verifying a domain is HTTP File Upload Verification. After choosing File Authentication as your verification method, you will receive an email and be asked to download a unique verification file (Format: .txt) and upload it to a specific directory on your web server.



    Verify by uploading the attached file fileauth.txt in your web server as follows:



    • 1. Download the text file fileauth.txt (attached with the email).
    • 2. Upload the above file (fileauth.txt) to your host in this EXACT path: http://my-domain.com/.well-known/pki-validation/fileauth.txt


    You may have to wait for at least an hour for the changes to take effect in the validation services. You will be notified via email when the domain is verified.

    Please submit a request for support if you face any issues.

    2. Receive Confirmation (After validation an email will be sent with a link to certificate)

    3. Download certificate and upload to hosting

    Notice: After generating a CSR,
    1. Copy the Private KEY and keep this to yourself for reference.
    2. Copy only the CSR above and use(paste)
    in to request your TS Certificate.
    3. Click the top left button to close.

    TuringSign
    Powered by  GDPR Cookie Compliance
    Privacy Overview

    This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.