On Sat, Sep 15, 2018 at 05:37:41AM +0300, Kas wrote: > Hello everyone, > > Shouldn't the revocation process more relaxed ? > Section.7.6 require account authorization to revoke a certificate, and i > can't see the good of this requirement and making it the only way, it is > logical that the account owner can revoke a certificate, what i suggest is : > Anyone should be able to revoke a certificate if he can prove that he has > the private key of the certificate AND can pair it with the certificate > itself ( Serial Number, Public Key .... ), for me this makes more sense, in > case a server had been compromised then no need to wait for the account > owner, so directory should have permanent URL for revocation that will take > the Private Key of a certificate (or its hash) along the Serial number of > the certificate, and would love to hear explanation of why this might be bad > practice.
One can already sign revocation requests using private key of the certificate being revoked (without even having an account). And this uses the usual revocation endpoint found in the directory. -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
