On Mon, Dec 06, 2021 at 06:30:50PM +0000, Corey Bonnell wrote: > > While tightening up the language is of course possible, it would still > > remain the case that there are a number of circumstances in which a CA may > > not have a reliable means of communication with the subscriber. For > > example, Let's Encrypt does not require subscribers to provide any contact > > details in order to register an account. > > For those CAs which do not collect any information for Subscribers, I would > be interested to learn how BR 9.6.3 (7) is fulfilled: > > "7. Responsiveness: An obligation to respond to the CA’s instructions > concerning Key > Compromise or Certificate misuse within a specified time period."
My reading of that specific requirement is that the subscriber agreement must contain that stipulation, and *if* a subscriber receives an instruction and fails to respond to it, they are in breach of the agreement. I don't read it as requiring the CA to issue instructions in any particular circumstance. Could you expand on how and why your understanding differs? - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20211206232548.GD930%40hezmatt.org.
