On Wed, Dec 08, 2021 at 01:28:12PM -0800, Aaron Gable wrote: > The language being used in this discussion so far does not seem to reflect > the actual text of the BRs. A CA is currently under no obligation to > "notify" the subscriber prior to revocation. Rather, a CA is under > obligation to "work with the Subscriber... to establish whether or not the > certificate will be revoked".
I agree that "work with" does not absolutely require prior communication with the subscriber, if the subscriber agreement allows the CA to revoke. However, the first sentence of 4.9.5 remains problematic. It says that "the CA SHALL investigate the [...] Certificate Problem Report and provide a preliminary report on its findings to [...] the Subscriber". I haven't been able to come up with an interpretation of that sentence which allows the CA to avoid collecting reliable contact information for all subscribers, short of some *really* tortured interpretations of the word "provide". Torturing that word would probably have some unfortunate consequences, too, because it's used elsewhere in the BRs. - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20211209054239.GG930%40hezmatt.org.
