On Thu, Mar 26, 2020 at 4:45 PM Ian Carroll via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > Hi all, > > A recent thread on CAs using contractual terms to revoke certificates has > made me want to bring up a topic that I am surprised does not come up more: > removing the control of revocation from CAs and moving it to the user agent. > While this is an idea that requires the backing of a user agent (for which I > have none), I think it's worthwhile to float as a future prospect.
You only focused on keyCompromise. Was that intentional? If it was, it seems like it might be missing the other scenarios captured in the Baseline Requirements. CAs are required to have legally enforceable Subscriber Agreements / Terms of Use with their Subscribers (certificate holders), as a condition to issuing a certificate. This is covered in 9.6.3 of the Baseline Requirements. That places certain obligations upon the Subscriber (certificate holder). That's a risk tradeoff, and relies on the legal system rather than a technical system, to enforce certain expectations. If it was intentional to omit that, it's unclear if you're proposing to deprecate it or replace it with some other mechanism, such as the CA requiring that the Subscriber execute legally enforcable agreements with all possible Relying Parties beforehand. If it was unintentional, working through the design more is worthwhile. Some of this was already plumbed in the past, related to Certificate Transparency and name redaction, in the context of "hostile redaction" and "hostile unredaction". In effect, transitions of that mechanism to purely technical come with it new risks for hijinks and shenanigans. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
