On 2 November 2016 at 11:24, Jeremy Rowley <[email protected]> wrote: > Revocation support for non-subscribers is sort of implied...sort of: > > Section 4.9.3: > The CA SHALL provide Subscribers, Relying Parties, Application Software > Suppliers, and other third parties with > clear instructions for reporting suspected Private Key Compromise, > Certificate misuse, or other types of fraud, > compromise, misuse, inappropriate conduct, or any other matter related to > Certificates. The CA SHALL publicly > disclose the instructions through a readily accessible online means. >
This was the text I was imagining being triggered by this scenario. I certainly accept the fact that a CA has a reasonable reason to doubt random incoming "Please revoke this certificate" requests, and could or should require additional verification before taking action. I would imagine that for DV revocations, such verification would be pretty much identical to DV verification. The hard part is merely automating the process for scale like they do for DV issuance. (But if a CA got enough of these requests it could save some engineering by reusing that verification infrastructure!) -tom _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
