On 19/04/2020 11:13, Nick Lamb via dev-security-policy wrote:
On Sat, 18 Apr 2020 22:57:03 -0400
Ryan Sleevi via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
The Baseline Requirements address this. See 9.16.3 (particularly item
5) and 9.6.1 (6).
For better or worse, the situation is as Neil described and required
for all CAs.
It's possible that I'm confused somehow, but for me §9.16.3 of the BRs
does not have numbered item 5, and neither this nor §9.6.1 define
"contractual jeopardy" nor do they clear up why a subscriber would want
to shut down their service and perhaps be driven into bankruptcy in
deference to a mere technical error.
I suspect that this was a typo from Ryan, and he meant Section 9.6.3 (5)
which states (regarding subscriber agreements) :
5. Reporting and Revocation: An obligation and warranty to: (a)
promptly request revocation of the Certificate, and cease using it and
its associated Private Key, if there is any actual or suspected misuse
or compromise of the Subscriber’s Private Key associated with the
Public Key included in the Certificate, and (b) promptly request
revocation of the Certificate, and cease using it, if any information
in the Certificate is or becomes incorrect or inaccurate.
Clause 6 of the same section is also relevant - (but only if the private
key has been compromised):
6. Termination of Use of Certificate: An obligation and warranty to
promptly cease all use of the Private Key corresponding to the Public
Key included in the Certificate upon revocation of that Certificate
for reasons of Key Compromise.
So, a CA is _required_ to have these terms in its Subscriber Agreements.
Regarding 9.6.1, you are right that my generic term (contractual
jeopardy) is not defined, but it does establish that the Subscriber
Agreement must be a legally enforceable document. If one party declines
to adhere to its responsibilities under the agreement, the contract is
placed in peril.
Now, if a CA is producing OCSP errors, or vague or confusing statements
as to the status of one of its certificates, then absolutely a
Subscriber would not shut down its services until the instruction from
the CA is clearly expressed. My view is be that a properly formed,
digitally signed and dated, statement of revocation _does_ make the
instruction clear.
Regards,
Neil
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
