On Thursday, April 10, 2014 10:28:38 AM UTC-4, Rob Stradling wrote: > The Mozilla CA Certificate Maintenance Policy (Version 2.2) [1] says > (emphasis mine): > > > "CAs _must revoke_ Certificates that they have issued upon the > occurrence of any of the following events: > ... > - the CA obtains _reasonable evidence_ that the subscriber's private > key (corresponding to the public key in the certificate) has been > compromised or is _suspected of compromise_ (e.g. Debian weak keys)" > > > I think that's pretty clear! > > > The CABForum BRs go one step further, demanding that the CA revoke > _within 24 hours_. > > > AFAICT, non-payment by the Subscriber does not release the CA from this > obligation to revoke promptly. > > > Anyone disagree with my interpretation? >
I agree 100% and had posted almost this exact statement to bugzilla before being directed here for discussion. The question of whether or not they can (or should) charge fees for this is essentially entirely seperate from the issue at hand. They have failed to revoke certificates reasonably known to be compromised and this is in clear violation of the Moaillz CA Policy. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
