This is an abusive practice that tends to injure the operation of the
internet, particularly by encouraging victims to operate sites without
authentication and encryption in the interregnum between revocation and
the acquisition of a new cert. It also needlessly raises the cost to
operate a site, and possibly violates antitrust and/or
restraint-of-trade laws [1]. Mozilla should consider advocating the
creation of an "abusive practices that could lead to distrust" section
in the BRs, which should enumerate this practice.
-R
[1] Consult your lawyer for legal advice.
On 3/16/2020 2:06 PM, Tim Hollebeek via dev-security-policy wrote:
Hello,
I'd like to start a discussion about some practices among other commercial
CAs that have recently come to my attention, which I personally find
disturbing. While it's perfectly appropriate to have Terms and Conditions
associated with digital certificates, in some circumstances, those Terms and
Conditions seem explicitly designed to prevent or hinder customers who wish
to switch to a different certificate authority. Some of the most disturbing
practices include the revocation of existing certificates if a customer does
not renew an agreement, which can really hinder a smooth transition to a new
provider of digital certificates, especially since the customer may not have
anticipated the potential impact of such a clause when they first signed the
agreement. I'm particularly concerned about this behavior because it seems
to be an abuse of the revocation system, and imposes costs on everyone who
is trying to generate accurate and efficient lists of revoked certificates
(e.g. Firefox).
I'm wondering what the Mozilla community thinks about such practices.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
