Tom Ritter <[email protected]> writes: >There's been (some) mention that even if a user moves off Cloudflare, the CA >is not obligated to revoke.
Would it matter? I guess it depends on circumstances (whether you control the private key or Cloudflare does, whether you intend to use the same domain elsewhere or not, etc), but in most cases it seems like no revocation is necessary, you destroy or stop using the private key and that's it. Even in the worst-case scenario, Cloudflare has your private key and you intend to keep using the domain, presumably there's some contractual obligation for them to stop using it when you close your account with them. It seems like a revocation isn't necessary (not just for this but for pretty much every revocation reason except keyCompromise). Peter. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
