On 12/29/18, Ryan Sleevi via dev-security-policy <[email protected]> wrote: > On Fri, Dec 28, 2018 at 11:21 PM Jakob Bohm via dev-security-policy < > [email protected]> wrote: > >> > My guess is all CAs have something like >> > https://www.digicert.com/certificate-terms/ >> > 15. Certificate Revocation. DigiCert may revoke a Certificate without >> > notice for the reasons stated in the CPS, including if DigiCert >> > reasonably believes that: >> > ... >> > h. the Certificate was (i) misused, (ii) used or issued contrary to >> > law, the CPS, or industry standards, or (iii) used, directly or >> > indirectly, for illegal or fraudulent purposes, such as phishing >> > attacks, fraud, or the distribution of malware or other illegal or >> > fraudulent purposes, >> >> These were covered in the list you snipped, and shouldn't happen for an >> *honest* subscriber. > > > It does not seem like a productive discussion will emerge if the ontology > is going to be honest/dishonest participants.
I think it's an excellent distinction. An honest subscriber won't deliberately attempt to spread malware. But I like the idea of CAs revoking certs for sites deliberately trying to do harm.. even tho I get the impression that few actually revoke certs for that reason. > By setting it up with loaded > terms like that, it seems more likely that the engagement you’ll get is > your own. > > That said, it’s clear you recognize that certificate holders may, at any > point, find the need for their certificates to be replaced, and whether you > fault and blame them - or their CA - for it, it does not sound like you > dispute that. So there’s likely nothing more to be said on the topic. I thought the question was about how much warning an _honest_ cert holder should expect / get before their cert was revoked. Lee _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
