On Mon, Mar 02, 2020 at 07:35:06PM +0000, Nick Lamb wrote: > On Mon, 2 Mar 2020 13:48:55 +1100 > Matt Palmer via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > In my specific case, I've been providing a JWS[1] signed by the > > compromised private key, and CAs are telling me that they can't (or > > won't) work with a JWS, and thus no revocation is going to happen. > > Is this a reasonable response? > > I don't hate JWS, but I can see Ryan's point of view on this. Not every > "proof" is easy to definitively assess, and a CA doesn't want to get > into the game of doing detailed forensics on (perhaps) random unfounded > claims. > > Maybe it makes sense for Mozilla to provide in its policy (without > limiting what else might be accepted) an example method of > demonstrating Key Compromise which it considers definitely sufficient ?
I think it would be useful if Mozilla were to require that CPS have details of acceptable methods of demonstrating key compromise. There's even a section which it would fit into nicely: 4.9.12, "Special Requirements for Key Compromise". It wouldn't solve the primary problem that I have -- having to special case every CA's pet method for requiring evidence -- but it would, at least, close the "oh no wait we need *this* evidence" loophole, and give reporting parties something to go off when reporting key compromises. Requiring that a CA's standards of evidence didn't require the use of one specific tool (`openssl dgst` I'm looking at *you*) would be icing on the cake. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy