Thank you to those of you who have provided more feedback. I have updated the draft policy text here:
https://docs.google.com/document/d/1ESakR4MiwyENyuLefyH2wG8rYbtnmG1xeSYvDNpS-EI/edit?usp=sharing I highlighted the changes in the document, and below is a summary of the changes. 1) The first sentence of the second paragraph has been changed to make my intent more clear, and I added a comment that we will need to determine an effective-date because this means code changes (e.g. ACME). "When a certificate revocation is not initiated by the certificate subscriber, the CA MUST notify the certificate subscriber about its intent to revoke the end-entity SSL certificate at least 24 hours before revoking the certificate." I am open for feedback on wording and the time frame (e.g. 24 hours), and I will also appreciate thoughts about the effective-date for this new policy. I intend to require that CAs notify certificate subscribers before revoking their certificates, because when certificate revocation is enforced by the browser the CA can essentially cause DOS for websites. 2) Per the feedback from Wendy (here <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/Cls1b2iuOLU/m/-wAFl43kCwAJ>) I replaced "affiliationChanged (3)" with "cessationOfOperation (5)" in the proposed text, because despite the previously referenced document <https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc700843(v=technet.10)> about revocation reasons, I agree with Wendy that cessationOfOperation makes more sense in regards to a TLS certificate no longer being needed because the website it was used in has been taken down or the certificate subscriber no longer owns the domain name(s) in the certificate. Whereas affiliationChanged seems to be about how a person is associated with an organization. So the "affiliationChanged (3)" paragraph has been replaced by the following. "cessationOfOperation (5) The CRLReason cessationOfOperation (5) MUST be used when the subscriber has requested that their certificate be revoked for this reason, or the CA has received verifiable evidence that the subscriber no longer owns the domain names in the certificate and there is no evidence of a private key compromise. Otherwise this CRLReason MUST NOT be used. The CRLReason cessationOfOperation (5) is intended to be used to indicate that the subscriber no longer owns the domain names in the certificate or will no longer be using the certificate. For example, this revocation reason should be used if the website with the certificate is shut down prior to the expiration of the certificate." I will continue to appreciate your input on this draft proposal. Thanks, Kathleen -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/985030a9-d162-4102-8724-adeec29be6ean%40mozilla.org.
