The answers from CAs we typically see in this group are more along the lines of not thinking it necessary to revoke at all than needing more time, I'd say. So I don't really see what this idea that 24 hours would be too short is based on. I think relaxing the revocation time limit may in fact be a solution for a problem that doesn't exist (much). After all quite a few of these misissued certificates will not even work properly.
What I don't like is that the answers of CAs hardly ever explain what happened, how it was possible that it happened and what has/will be done to prevent is from happening again. It looks like they have no real incentive to do things right. Yes, in some cases the bad certificates will be in use and the revocation may cause problems (not too much I understand as revocation mostly does not work ;-) for CA-customers and their website visitors. But having to deal with that when they are doing it wrong is the only motivation a CA has for doing things right. As things are this doesn't seem to motivate them very much. ;-) And customers will have to learn to choose CAs that don't cause this kind of problems. Or suffer them... that is up to them. On to other hand customers also have little motivation to do things right. To most of them HTTPS is something they are forced into by the recent HTTPS-only drive by the browsers. All in all I appreciate how CT is pulling all this garbage into broad daylight. We should be simply aiming to get it cleared away. And if there is stuff in there that is not worth revoking promptly then it would be better to remove theses issuance requirements than to relax the revocation requirement. CU Hans _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
