> While tightening up the language is of course possible, it would still remain > the case that there are a number of circumstances in which a CA may not have > a reliable means of communication with the subscriber. For example, Let's > Encrypt does not require subscribers to provide any contact details in order > to register an account.
For those CAs which do not collect any information for Subscribers, I would be interested to learn how BR 9.6.3 (7) is fulfilled: "7. Responsiveness: An obligation to respond to the CA’s instructions concerning Key Compromise or Certificate misuse within a specified time period." Thanks, Corey -----Original Message----- From: [email protected] <[email protected]> On Behalf Of Matt Palmer Sent: Wednesday, December 1, 2021 4:47 AM To: [email protected] Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates Hi Kathleen, On Tue, Nov 30, 2021 at 01:43:50PM -0800, Kathleen Wilson wrote: > If someone other than the Subscriber requests revocation by providing > verifiable evidence that the Subscriber's Private Key corresponding to > the Public Key in the Certificate suffered a Key Compromise, then the > CA MUST make the information regarding its intent to revoke available > to the Subscriber before revoking the certificate, I'm curious about the background that caused this particular requirement to end up in here. It doesn't seem relevant to the specification of revocation reason codes. As an aside, I'm also not in favour of it in general, for a couple of reasons. Firstly, the wording is vague, both in the means by which the action may be executed, as well as the timeframe. Posting a list of certs to be revoked at an obscure URL five seconds before publishing the CRL would seem to fit the strict interpretation of this requirement, but it doesn't seem to serve any practical purpose. While tightening up the language is of course possible, it would still remain the case that there are a number of circumstances in which a CA may not have a reliable means of communication with the subscriber. For example, Let's Encrypt does not require subscribers to provide any contact details in order to register an account. - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20211201094658.GA930%40hezmatt.org. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/DM6PR14MB218616BA3E433B56F0484C81926D9%40DM6PR14MB2186.namprd14.prod.outlook.com.
smime.p7s
Description: S/MIME cryptographic signature
