Adriano
Il 30/12/2021 00:08, 'Aaron Gable' via [email protected] ha scritto:
On Wed, Dec 29, 2021 at 2:11 PM Kathleen Wilson <[email protected]> wrote:1) The first sentence of the second paragraph has been changed to make my intent more clear, and I added a comment that we will need to determine an effective-date because this means code changes (e.g. ACME). "When a certificate revocation is not initiated by the certificate subscriber, the CA MUST notify the certificate subscriber about its intent to revoke the end-entity SSL certificate at least 24 hours before revoking the certificate." I am open for feedback on wording and the time frame (e.g. 24 hours), and I will also appreciate thoughts about the effective-date for this new policy. I intend to require that CAs notify certificate subscribers before revoking their certificates, because when certificate revocation is enforced by the browser the CA can essentially cause DOS for websites.To the best of my knowledge, this requirement phrased as-is is impossible to comply with. BRs Section 4.9.1.1 says "The CA SHALL revoke a certificate within 24 hours if... [t]he CA obtains evidence that the Subscriber's Private Key... suffered a Key Compromise". This has uniformly been interpreted to mean "within 24 hours of the key compromise report being filed", not "within 24 hours of receiving the report" let alone "within 24 hours of deciding that the report is legitimate". Since there must necessarily be some amount of time between receiving the report and deciding to revoke -- even on the order of milliseconds for an automated ACME revocation, but still -- a CA cannot notify the subscriber /more/ than 24 hours before the revocation /and/ revoke the certificate /less/ than 24 hours after receiving the report. At the very least, this notification period must be reduced in order for a CA to comply both with it and with the existing BRs.
-- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/90317290-3028-74bc-4d30-c27477bbe11d%40staff.aruba.it.
smime.p7s
Description: Firma crittografica S/MIME
