On Wed, May 13, 2015 at 4:22 PM, Randy Bush <[email protected]> wrote: > >>> "ACME certificate management must provide automated methods for > >>> revocation parallel to those use to request a certificate"? > >> > >> what the heck does "parallel" mean? does it include means to revoke a > >> cert for which i have lost the private key and want to use an entirely > >> different proof of ownership/control? > > > > To me it means if you prove control of a domain in order to request a > > cert by methods 1, 2, or 3, then you can request revocation if you can > > prove control by the same set of methods. > > and what if i can prove control by method 42? >
So, the point I'm getting at is that the system ought to provide an automated way to request revocation if the requester can meet the same bar as it would take to request or renew a certificate. If 42 is one of the ways to meet that bar, well and good. If 42 is not one of the ways to meet the original bar, then putting effort to automating revocation on that basis seems off to me. I'm not particularly interested in automating revocation on the basis that someone has a court order, for example, even if that would be a method to prove you are an authorized party. Sure, you can hand the CA a court order, but they should look at it careful like, not automate the revocation. > > I do not think it means that you have to pick the same one from the > > set, but it is something for the working group to discuss. > > which is one of the reasons russ's phrasing was so good; it left it for > the wg to discuss and did not overly constrain the space. > > I think I want a wee bit more constraining here than you do. > > Is there language you like better for that? > > yes, russ's > > randy, who has had his say > I'm hardly going to fall on a sword over this, but I wanted to explain why I see the issue worth discussion now. Ted
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
