A customer should able have the choice to change their CA provider without threats of revocation by the CA. It’s definitely an abuse of the revocation function.
I do understand terms and conditions are in normal circumstances legally binding once signed by a customer but this practice is abuse of trust between the customer and the CA. The CA is acting in bad faith. I suggest Mozilla to send a strongly worded signed letter to every CAs highlighting the abuse of revocation function and say whoever it is must to stop immediately or face consequences. On Mon, 16 Mar 2020 at 23:51, Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Mon, Mar 16, 2020 at 09:06:17PM +0000, Tim Hollebeek via > dev-security-policy wrote: > > I'd like to start a discussion about some practices among other > commercial > > CAs that have recently come to my attention, which I personally find > > disturbing. While it's perfectly appropriate to have Terms and > Conditions > > associated with digital certificates, in some circumstances, those Terms > and > > Conditions seem explicitly designed to prevent or hinder customers who > wish > > to switch to a different certificate authority. Some of the most > disturbing > > practices include the revocation of existing certificates if a customer > does > > not renew an agreement, which can really hinder a smooth transition to a > new > > provider of digital certificates, especially since the customer may not > have > > anticipated the potential impact of such a clause when they first signed > the > > agreement. I'm particularly concerned about this behavior because it > seems > > to be an abuse of the revocation system, and imposes costs on everyone > who > > is trying to generate accurate and efficient lists of revoked > certificates > > (e.g. Firefox). > > > > I'm wondering what the Mozilla community thinks about such practices. > > Utterly reprehensible, and should be called out loudly whenever it's found. > > However, it might be tricky for Mozilla itself to create and enforce such a > prohibition, since it gets deep into the relationship between a CA and its > customer. I know there are already several requirements around what must > go > into a Subscriber Agreement in the BRs, etc, but they're a lot narrower > than > a blanket "thou shalt not put anything in there that restricts a customer's > ability to move to a competitor", and a narrow ban on individual practices > would be easily gotten around by a CA that was out to lock in their > customers. > > I recognise that it can be tricky for a CA to (be seen to) criticise their > competitors' business practices, but this really is a case where public > awareness of these kinds of shady practices are probably the best defence > against them. Get enough people up in arms, hopefully hit the shonkster in > the hip pocket, and it'll encourage them to rethink the wisdom of this kind > of thing. > > - Matt > > -- > A polar bear is a rectangular bear after a coordinate transform. > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
