Hello everyone,
Shouldn't the revocation process more relaxed ?
Section.7.6 require account authorization to revoke a certificate, and i
can't see the good of this requirement and making it the only way, it is
logical that the account owner can revoke a certificate, what i suggest
is :
Anyone should be able to revoke a certificate if he can prove that he
has the private key of the certificate AND can pair it with the
certificate itself ( Serial Number, Public Key .... ), for me this makes
more sense, in case a server had been compromised then no need to wait
for the account owner, so directory should have permanent URL for
revocation that will take the Private Key of a certificate (or its hash)
along the Serial number of the certificate, and would love to hear
explanation of why this might be bad practice.
Best regards
K. Obaideen
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
