On 12/27/18, Jakob Bohm via dev-security-policy <[email protected]> wrote: > Looking at the BRs, specifically BR 4.9.1, the reasons that can lead > to fast revocation fall into a few categories / groups: <.. snip ..> > So absent a bad CA, I wonder where there is a rule that subscribers > should be ready to quickly replace certificates due to actions far > outside their own control.
My guess is all CAs have something like https://www.digicert.com/certificate-terms/ 15. Certificate Revocation. DigiCert may revoke a Certificate without notice for the reasons stated in the CPS, including if DigiCert reasonably believes that: ... h. the Certificate was (i) misused, (ii) used or issued contrary to law, the CPS, or industry standards, or (iii) used, directly or indirectly, for illegal or fraudulent purposes, such as phishing attacks, fraud, or the distribution of malware or other illegal or fraudulent purposes, i. industry standards or DigiCert’s CPS require Certificate revocation, or revocation is necessary to protect the rights, confidential information, operations, or reputation of DigiCert or a third party. An underscore in the name now (will after Jan 15? has since cabf ballot 202 failed to pass?) violates industry standards? If so, no notice required. And it seems to me that if digicert doesn't revoke certs with underscores in the name it'll adversely affect the reputation of DigiCert, so again it looks like no notice is required. (but anything that has "legally valid and enforceable agreement" in the text probably requires lawyers to decide the issue & I'm not a lawyer) Regards, Lee _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
