On Tue, Mar 10, 2020 at 05:18:51PM -0400, Ryan Sleevi via dev-security-policy wrote: > I'm sympathetic to CAs wanting to filter out the noise of shoddy reports > and shenanigans, but I'm also highly suspicious of CAs that put too > unreasonable an onus on reporters.
If CAs want a 100% reliable and trustworthy means of receiving key compromise reports, they can stand up a server which implements RFC8555 s7.6. The backend doesn't have to immediately revoke the cert; it can create a ticket in the CA's workflow management system saying "this cert has been demonstrated to have a compromised private key, do the needful". No need for compliance specialists, PKI experts, or anyone to be on hand to check what's going on. Put a link to the ACME directory in s4.9.12 of their CPS and in CCADB, Job done. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy