On Wed, Jan 26, 2022 at 6:19 PM Kathleen Wilson <[email protected]> wrote:
> The CRLReason keyCompromise (1) MUST be used when one or more of the > following occurs: > > - > > the CA obtains verifiable evidence that the certificate subscriber’s > private key corresponding to the public key in the certificate suffered a > key compromise; > - > > the CA is made aware of a demonstrated or proven method that exposes > the certificate subscriber’s private key to compromise; > - > > there is clear evidence that the specific method used to generate the > private key was flawed; > - > > the CA is made aware of a demonstrated or proven method that can > easily compute the certificate subscriber’s private key based on the public > key in the certificate (such as a Debian weak key, see > https://wiki.debian.org/TLSkeys <https://wiki.debian.org/SSLkeys>); or > - > > the certificate subscriber, *who has provided proof of possession of > the private key**, *requests that the CA revoke the certificate for > this reason. > > Maybe I'm misreading this, but adding the requirement to prove possession of the private key seems to me to make the last line entirely redundant: providing proof of possession of a certificate's private key, combined with a request for revocation for key compromise, would seem to me to qualify as "verifiable evidence that the certificate subscriber’s private key corresponding to the public key in the certificate suffered a key compromise." Alex -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAN3-_m7Za6%2BJ_QF96jY021dnePEky4EyzaierFTRb8ZqE8baAw%40mail.gmail.com.
