On Fri, Mar 6, 2020 at 10:05 PM Matt Palmer via dev-security-policy < [email protected]> wrote:
> Therefore, the question I'm asking is: should Mozilla (aka the community > and > CA module owner and peers) make a policy decision to treat certificates > issued with a known Debian weak key differently to that of the BRs, and > insist on revocation within 24 hours (as a compromised key) rather than > within five days (as a "Debian weak key")? Mozilla's historically been reticent to override the BRs without an attempt to at least fix the BRs. I've filed https://github.com/cabforum/documents/issues/164 to track this. That said, the 24 hour revocation requirements naturally supersedes that of the five day revocation, in situations of proof of compromise, so while the language might be argued as ambiguous, a CA still is expected to revoke within 24 hours, if the private key has transitioned from "could be computed" to "has been computed" (as in the case of Debian Weak Keys, as you note) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
