Revocation support for non-subscribers is sort of implied...sort of: Section 4.9.3: The CA SHALL provide Subscribers, Relying Parties, Application Software Suppliers, and other third parties with clear instructions for reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, inappropriate conduct, or any other matter related to Certificates. The CA SHALL publicly disclose the instructions through a readily accessible online means.
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] On Behalf Of Peter Bowen Sent: Wednesday, November 2, 2016 10:08 AM To: Tom Ritter <t...@ritter.vg> Cc: mozilla-dev-security-pol...@lists.mozilla.org; Jakob Bohm <jb-mozi...@wisemo.com> Subject: Re: Cerificate Concern about Cloudflare's DNS On Wed, Nov 2, 2016 at 8:26 AM, Tom Ritter <t...@ritter.vg> wrote: > On 2 November 2016 at 09:44, Jakob Bohm <jb-mozi...@wisemo.com> wrote: >> The only thing that might be a CA / BR issue would be this: > > There's been (some) mention that even if a user moves off Cloudflare, > the CA is not obligated to revoke. I don't agree with that. If a user > purchased a domain from someone (or bought a recently expired domain) > and a TLS certificate was still valid for it, would the new owner not > be able to get it revoked? If so, how is this different? Tom, As written today, there is no obligation of CAs to do anything a the request of domain registrants. There is an obligation that the CA SHALL revoke a certificate if: " The CA is made aware of any circumstance indicating that use of a Fully-Qualified Domain Name or IP address in the Certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a Domain Name Registrant’s right to use the Domain Name, a relevant licensing or services agreement between the Domain Name Registrant and the Applicant has terminated, or the Domain Name Registrant has failed to renew the Domain Name)" Note that this does not give special authority to registrants. In particular, the straight up "request revocation" option is limited to the _Subscriber_, which is the entity that acquired the certificate. I think that this is a massive gap, especially in the current state of "WebPKI" where certificates are really a third party (CA) assertion that they performed a Trust On First Use (TOFU) operation with the objective that the CA is better positioned avoid attackers than the party later relying upon the certificate. > Aside, it would be very interesting to watch domain renewals + contact > info changes (if one can do this at scale) and pair it up with the CT > logs to see how much of an issue this is/could be. Given that every CA I know of will issue a certificate for a validity period that exceeds the domain registration period, I suspect it is not hard to find many certificates containing FQDNs under expired domains. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
