Are we just coming up with random hypotheticals here? Do you know of any provider that does this?
Is there any counter-proposal for how to ensure that Subscribers with certificates today can reliably revoke their existing certificates? Or are folks coming up with these scenarios actively rejecting this as a valid need? I don’t disagree that, as with anything, we have risks. I think Rob’s scenario points, somewhat, to the need to curtail domain reuse as narrowly as possible (hours, not years). I’d be curious to know what the alternatives folks are proposing, or whether it really is to tell Subscribers “tough, you’ve got another hoop to jump through to get these certificates revoked”. Because if we’re willing to do that, wouldn’t it be better to instead do something like mandate all CAs support ACME, to at least provide a consistent protocol for this? -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHFHVvpmyax6rziRxUctCGmkKop_WSHG-8JycFde%3D-qTnA%40mail.gmail.com.
