On Mon, Mar 16, 2020 at 09:06:17PM +0000, Tim Hollebeek via dev-security-policy wrote: > I'd like to start a discussion about some practices among other commercial > CAs that have recently come to my attention, which I personally find > disturbing. While it's perfectly appropriate to have Terms and Conditions > associated with digital certificates, in some circumstances, those Terms and > Conditions seem explicitly designed to prevent or hinder customers who wish > to switch to a different certificate authority. Some of the most disturbing > practices include the revocation of existing certificates if a customer does > not renew an agreement, which can really hinder a smooth transition to a new > provider of digital certificates, especially since the customer may not have > anticipated the potential impact of such a clause when they first signed the > agreement. I'm particularly concerned about this behavior because it seems > to be an abuse of the revocation system, and imposes costs on everyone who > is trying to generate accurate and efficient lists of revoked certificates > (e.g. Firefox). > > I'm wondering what the Mozilla community thinks about such practices.
Utterly reprehensible, and should be called out loudly whenever it's found. However, it might be tricky for Mozilla itself to create and enforce such a prohibition, since it gets deep into the relationship between a CA and its customer. I know there are already several requirements around what must go into a Subscriber Agreement in the BRs, etc, but they're a lot narrower than a blanket "thou shalt not put anything in there that restricts a customer's ability to move to a competitor", and a narrow ban on individual practices would be easily gotten around by a CA that was out to lock in their customers. I recognise that it can be tricky for a CA to (be seen to) criticise their competitors' business practices, but this really is a case where public awareness of these kinds of shady practices are probably the best defence against them. Get enough people up in arms, hopefully hit the shonkster in the hip pocket, and it'll encourage them to rethink the wisdom of this kind of thing. - Matt -- A polar bear is a rectangular bear after a coordinate transform. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
