The word "misused" in the policy could do with clarifying. The Maintenance Policy states:
"2. CAs must revoke Certificates that they have issued upon the occurrence of any of the following events: ... the CA obtains reasonable evidence that the subscriber’s private key (corresponding to the public key in the certificate) has been compromised or is suspected of compromise (e.g. Debian weak keys), or that the certificate has otherwise been misused;" Kathleen's proposal is to change: "or that the certificate has otherwise been misused;" to "or that the certificate has been used for a purpose outside of that indicated in the certificate or in the CA's subscriber agreement;" We feel it's reasonable for the CA (via its subscriber agreement or via technical controls in the cert) to define what 'misuse' is. There was a long previous discussion of this on m.d.s.policy, but no determination was made. https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/vMrncPi3tx8/Ab90Yi_rBgAJ This is: https://github.com/mozilla/pkipolicy/issues/1 ------- This is a proposed update to Mozilla's root store policy for version 2.4. Please keep discussion in this group rather than on Github. Silence is consent. Policy 2.3 (current version): https://github.com/mozilla/pkipolicy/blob/2.3/rootstore/policy.md Update process: https://wiki.mozilla.org/CA:CertPolicyUpdates _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
