On Tuesday, August 8, 2017 at 7:03:19 PM UTC-5, Jeremy Rowley wrote:
> 24 hours is super short when it's a Saturday morning at 4 am and it’s a 
> European government entity. I agree that is what the policy says now, but, 
> for lower risk items, the policy should change, preferably to at least one 
> business day. 
> 

It is short, but any CA possessing global trust should already have procedures 
in place for handling revocation in a prompt manner. It seems odd that it would 
be onerous for them to revoke a non-compliant certificate. The only difference 
is a need to confirm to the CA's satisfaction that the given certificate is in 
violation of the BRs, which I would expect any competent CA to be eminently 
capable of doing.

-Paul
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to