On Tuesday, August 8, 2017 at 7:03:19 PM UTC-5, Jeremy Rowley wrote:
> 24 hours is super short when it's a Saturday morning at 4 am and it’s a
> European government entity. I agree that is what the policy says now, but,
> for lower risk items, the policy should change, preferably to at least one
> business day.
It is short, but any CA possessing global trust should already have procedures
in place for handling revocation in a prompt manner. It seems odd that it would
be onerous for them to revoke a non-compliant certificate. The only difference
is a need to confirm to the CA's satisfaction that the given certificate is in
violation of the BRs, which I would expect any competent CA to be eminently
capable of doing.
dev-security-policy mailing list