On Friday, 3 March 2017 07:49:28 UTC, Ryan Sleevi wrote: > It is not acceptable. It's explicitly prohibited multiple ways to allow > more than 24 hours when such situations are brought to the CAs' attention.
I'm sympathetic to the idea, here and in all cases where we have no reason to suppose the initial issuance was fraudulent, that the CA ought to reach out to the subscriber to give them a chance to minimise the impact of necessary revocations. However, CAs have indicated elsewhere, as you know, that their customers may need up to three months to act, hence the 39 rather than 36 month limit on certificate lifetimes. It's not practical to wait for that, and even the implication that you _might_ wait actually slows down the response from most subscribers, because emergency changes are subject to less inertia. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy