Hi Matt, > My reading of that specific requirement is that the subscriber agreement must > contain that stipulation, and *if* a subscriber receives an instruction and > fails to respond to it, they are in breach of the agreement. I don't read it > as requiring the CA to issue instructions in any particular circumstance.
BR section 4.9.5 has specific obligations for the CA to notify the Subscriber of pending revocations due to Key Compromise, etc. BR 9.6.3 (7) provides assurance that the Subscriber will respond to such communications to ensure timely replacement of certificates. However, if the CA does not collect any Subscriber contact information, then the CA cannot execute on its obligations to notify the Subscriber. In turn, if such communication from the CA cannot be sent to the Subscriber due to lack of contact information, then it follows that the Subscriber will not be able to fulfill their obligation for 9.6.3 (7). This is especially problematic in the case of mass revocations where certificates cannot be revoked in time because the CA is unable to contact all affected Subscribers. Therefore, I believe it is incumbent that CAs collect information for at least one method of contact so that both the CA-to-Subscriber notification obligation and the Subscriber's obligation to respond to the CA can be fulfilled. Thanks, Corey -----Original Message----- From: [email protected] <[email protected]> On Behalf Of Matt Palmer Sent: Monday, December 6, 2021 6:26 PM To: [email protected] Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates On Mon, Dec 06, 2021 at 06:30:50PM +0000, Corey Bonnell wrote: > > While tightening up the language is of course possible, it would still > > remain the case that there are a number of circumstances in which a CA may > > not have a reliable means of communication with the subscriber. For > > example, Let's Encrypt does not require subscribers to provide any contact > > details in order to register an account. > > For those CAs which do not collect any information for Subscribers, I would > be interested to learn how BR 9.6.3 (7) is fulfilled: > > "7. Responsiveness: An obligation to respond to the CA’s instructions > concerning Key Compromise or Certificate misuse within a specified time > period." My reading of that specific requirement is that the subscriber agreement must contain that stipulation, and *if* a subscriber receives an instruction and fails to respond to it, they are in breach of the agreement. I don't read it as requiring the CA to issue instructions in any particular circumstance. Could you expand on how and why your understanding differs? - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20211206232548.GD930%40hezmatt.org. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/DM6PR14MB2186292F4A7DC49F4A641A49926E9%40DM6PR14MB2186.namprd14.prod.outlook.com.
smime.p7s
Description: S/MIME cryptographic signature
