Hi Ryan and Kathleen
What’s being proposed are 2 different sets of CA actions upon receipt of a relocation request for key compromise: 1. If PoP was demonstrated, then the CA must revoke all certificates with that key 2. If PoP was not demonstrated, then revoke just that one certificate (so one subscriber can’t cause DoS to another one ) In both cases, section 6.1.1.3 of the BRs applies, and specifically item 4: The CA SHALL reject a certificate request if one or more of the following conditions are met: 4. The CA has previously been made aware that the Applicant’s Private Key has suffered a Key Compromise, such as through the provisions of Section 4.9.1.1; Will the CA block further issuance when the request for revocation does not include PoP which could DoS them for renewal using the same key pair? To me, if the subscriber can’t provide PoP of the private key the unspecified reason code would be more accurate. What’s the value to the subscriber, CA and ecosystem to treat that case as key compromise vs. unspecified? I’m probably just not understanding the background and value for the second rule around processing requests for revocation with key compromise without PoP. Doug From: Kathleen Wilson <[email protected]> Sent: Tuesday, February 1, 2022 6:05 PM To: [email protected] Cc: Ryan Sleevi <[email protected]>; Doug Beattie <[email protected]> Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates OK, how about the following text? == The scope of revocation depends on whether the certificate subscriber has proven possession of the private key of the certificate. - If the certificate subscriber requests that the CA revoke the certificate for keyCompromise, and has not previously demonstrated and cannot currently demonstrate possession of the associated private key of that certificate, the CA SHOULD limit revocation to only certificates that are associated with that subscriber and which contain that public key. - If anyone requesting revocation has previously demonstrated or can currently demonstrate possession of the private key of the certificate, then the CA MUST revoke all instances of that key across all subscribers. == Thanks for your patience on this -- it's a tricky one for me. Kathleen -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/PUZPR03MB612951EAB79A6B1CD870B499F0279%40PUZPR03MB6129.apcprd03.prod.outlook.com.
smime.p7s
Description: S/MIME cryptographic signature
