On Thu, Nov 12, 2020 at 2:57 AM Dimitris Zacharopoulos <ji...@it.auth.gr> wrote:
> > I believe this information should be the "minimum" accepted methods of > proving that a Private Key is compromised. We should allow CAs to accept > other methods without the need to first update their CP/CPS. Do people > think that the currently proposed language would forbid a CA from > accepting methods that are not explicitly documented in the CP/CPS? > > I also think that "parties" is a bit ambiguous, so I would suggest > modifying that to follow the language of the BRs section 4.9.2 > "Subscribers, Relying Parties, Application Software Suppliers, and other > third parties". Here is my proposed change: > > "Section 4.9.12 of a CA's CP/CPS MUST clearly specify the methods (at a > minimum) that Subscribers, Relying Parties, Application Software > Suppliers, and other third parties may use to demonstrate private key > compromise." > > Dimitris, Instead, what about something like, "Section 4.9.12 of a CA's CP/CPS MUST clearly specify its accepted methods that Subscribers, Relying Parties, Application Software Suppliers, and other third parties may use to demonstrate private key compromise. A CA MAY allow additional, alternative methods that do not appear in section 4.9.12 of its CP/CPS." ? Ben _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy