I don't follow your argument about torturing the meaning of "provide". The other analogous instances of the word "provide" in the BRs are: - The CA SHALL provide a process for Subscribers to request revocation of their own Certificates. - The CA SHALL provide Subscribers... with clear instructions for reporting suspected Private Key Compromise... - the CA SHALL update the information provided via an Online Certificate Status Protocol... - the CA SHALL provide a Random Value...
All of these are items that a CA provides either a) statically, in the case of processes and instructions, or b) reactively to a query by the subscriber or relying party, in the case of OCSP and random values. None of these have the meaning "proactively place in the inbox of the party to whom information is provided". In an automated environment such as ACME, where the "preliminary report" and the final revocation decision are identical, an updated OCSP response is all that is necessary to satisfy the obligation to provide a report on the CA's findings. Aaron On Wed, Dec 8, 2021 at 9:42 PM Matt Palmer <[email protected]> wrote: > On Wed, Dec 08, 2021 at 01:28:12PM -0800, Aaron Gable wrote: > > The language being used in this discussion so far does not seem to > reflect > > the actual text of the BRs. A CA is currently under no obligation to > > "notify" the subscriber prior to revocation. Rather, a CA is under > > obligation to "work with the Subscriber... to establish whether or not > the > > certificate will be revoked". > > I agree that "work with" does not absolutely require prior communication > with the subscriber, if the subscriber agreement allows the CA to revoke. > However, the first sentence of 4.9.5 remains problematic. It says that > "the > CA SHALL investigate the [...] Certificate Problem Report and provide a > preliminary report on its findings to [...] the Subscriber". > > I haven't been able to come up with an interpretation of that sentence > which > allows the CA to avoid collecting reliable contact information for all > subscribers, short of some *really* tortured interpretations of the word > "provide". Torturing that word would probably have some unfortunate > consequences, too, because it's used elsewhere in the BRs. > > - Matt > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20211209054239.GG930%40hezmatt.org > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErdK1QLFkMjxPL55rLPF-_YAkggnN8ha95_YeS-J92F3MA%40mail.gmail.com.
