Agreed, I'd support a requirement that mandated revocation of a certificate using the domain validation processes supported by the CA in issuance. If you can prove control enough to get a certificate from the CA, then you are able to prove control enough to revoke a certificate.
-----Original Message----- From: Tom Ritter [mailto:[email protected]] Sent: Wednesday, November 2, 2016 10:45 AM To: Jeremy Rowley <[email protected]> Cc: Peter Bowen <[email protected]>; [email protected]; Jakob Bohm <[email protected]> Subject: Re: Cerificate Concern about Cloudflare's DNS On 2 November 2016 at 11:24, Jeremy Rowley <[email protected]> wrote: > Revocation support for non-subscribers is sort of implied...sort of: > > Section 4.9.3: > The CA SHALL provide Subscribers, Relying Parties, Application > Software Suppliers, and other third parties with clear instructions > for reporting suspected Private Key Compromise, Certificate misuse, or > other types of fraud, compromise, misuse, inappropriate conduct, or any > other matter related to Certificates. The CA SHALL publicly disclose the > instructions through a readily accessible online means. > This was the text I was imagining being triggered by this scenario. I certainly accept the fact that a CA has a reasonable reason to doubt random incoming "Please revoke this certificate" requests, and could or should require additional verification before taking action. I would imagine that for DV revocations, such verification would be pretty much identical to DV verification. The hard part is merely automating the process for scale like they do for DV issuance. (But if a CA got enough of these requests it could save some engineering by reusing that verification infrastructure!) -tom
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
