On Fri, Dec 28, 2018 at 11:21 PM Jakob Bohm via dev-security-policy < [email protected]> wrote:
> > My guess is all CAs have something like > > https://www.digicert.com/certificate-terms/ > > 15. Certificate Revocation. DigiCert may revoke a Certificate without > > notice for the reasons stated in the CPS, including if DigiCert > > reasonably believes that: > > ... > > h. the Certificate was (i) misused, (ii) used or issued contrary to > > law, the CPS, or industry standards, or (iii) used, directly or > > indirectly, for illegal or fraudulent purposes, such as phishing > > attacks, fraud, or the distribution of malware or other illegal or > > fraudulent purposes, > > These were covered in the list you snipped, and shouldn't happen for an > *honest* subscriber. It does not seem like a productive discussion will emerge if the ontology is going to be honest/dishonest participants. By setting it up with loaded terms like that, it seems more likely that the engagement you’ll get is your own. That said, it’s clear you recognize that certificate holders may, at any point, find the need for their certificates to be replaced, and whether you fault and blame them - or their CA - for it, it does not sound like you dispute that. So there’s likely nothing more to be said on the topic. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
