On Thursday, December 30, 2021 at 10:08:49 AM UTC-8 [email protected] wrote:
> > "When a certificate revocation is not due to key compromise and is not > initiated by the certificate subscriber, the CA MUST make the information > regarding its intent to revoke an end-entity SSL certificate available to > the certificate subscriber at least 24 hours before revoking the > certificate." > > What if the certificate revocation is due to the CA becoming aware that > validation (particularly DCV) was not performed correctly? In such cases, > it's possible (perhaps even likely) that the private key is controlled only > by an attacker; and since that private key hasn't been obtained by parties > that the subscriber (i.e., the attacker) has not authorized, the key is not > compromised. > > As with key compromise, waiting 24 hours in this scenario only helps the > attacker. > > Updated to: "When a certificate revocation reason is not keyCompromise (1) as described below and the revocation is not initiated by the certificate subscriber, the CA MUST make the information regarding its intent to revoke an end-entity SSL certificate available to the certificate subscriber at least 24 hours before revoking the certificate." Thanks, Kathleen -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7372c60d-8fa8-4dcf-ad7f-8a4bd80415ddn%40mozilla.org.
