Hi Kathleen, On Tue, Nov 30, 2021 at 01:43:50PM -0800, Kathleen Wilson wrote: > If someone other than the Subscriber requests revocation by providing > verifiable evidence that the Subscriber's Private Key corresponding to the > Public Key in the Certificate suffered a Key Compromise, then the CA MUST > make the information regarding its intent to revoke available to the > Subscriber before revoking the certificate,
I'm curious about the background that caused this particular requirement to end up in here. It doesn't seem relevant to the specification of revocation reason codes. As an aside, I'm also not in favour of it in general, for a couple of reasons. Firstly, the wording is vague, both in the means by which the action may be executed, as well as the timeframe. Posting a list of certs to be revoked at an obscure URL five seconds before publishing the CRL would seem to fit the strict interpretation of this requirement, but it doesn't seem to serve any practical purpose. While tightening up the language is of course possible, it would still remain the case that there are a number of circumstances in which a CA may not have a reliable means of communication with the subscriber. For example, Let's Encrypt does not require subscribers to provide any contact details in order to register an account. - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20211201094658.GA930%40hezmatt.org.
