On Wed, May 13, 2015 at 7:36 PM, Ted Hardie <[email protected]> wrote:
> On Wed, May 13, 2015 at 4:22 PM, Randy Bush <[email protected]> wrote: > >> >>> "ACME certificate management must provide automated methods for >> >>> revocation parallel to those use to request a certificate"? >> >> >> >> what the heck does "parallel" mean? does it include means to revoke a >> >> cert for which i have lost the private key and want to use an entirely >> >> different proof of ownership/control? >> > >> > To me it means if you prove control of a domain in order to request a >> > cert by methods 1, 2, or 3, then you can request revocation if you can >> > prove control by the same set of methods. >> >> and what if i can prove control by method 42? >> > > So, the point I'm getting at is that the system ought to provide > an automated way to request revocation if the requester can meet > the same bar as it would take to request or renew a certificate. If 42 > is one of the ways to meet that bar, well and good. If 42 is not one > of the ways to meet the original bar, then putting effort to automating > revocation on that basis seems off to me. I'm not particularly interested > in automating revocation on the basis that someone has a court order, > for example, even if that would be a method to prove you are an authorized > party. Sure, you can hand the CA a court order, but they should look > at it careful like, not automate the revocation. > The length of this paragraph is why I liked Russ's first revision ("allow an authorized party to request revocation"). Ultimately, the CA is going to have some policy about who it allows to revoke. The protocol needs to provide authentication of the requestor to support that policy decision, but beyond that, the policy is up to the CA. --Richard > > >> > I do not think it means that you have to pick the same one from the >> > set, but it is something for the working group to discuss. >> >> which is one of the reasons russ's phrasing was so good; it left it for >> the wg to discuss and did not overly constrain the space. >> >> > I think I want a wee bit more constraining here than you do. > > >> > Is there language you like better for that? >> >> yes, russ's >> >> randy, who has had his say >> > > I'm hardly going to fall on a sword over this, but I wanted to > explain why I see the issue worth discussion now. > > Ted > > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme > >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
