Thanks again for all of you for continuing to discuss this. I have updated the bright green text in the draft policy <https://docs.google.com/document/d/1ESakR4MiwyENyuLefyH2wG8rYbtnmG1xeSYvDNpS-EI/edit?usp=sharing> again. Hopefully this is a sufficient balance and clear enough now. Note: It sounds like there may be need to have further discussions about CSRs and revocations in the CA/Browser Forum -- I'm not trying to solve that here.
== The CRLReason keyCompromise (1) MUST be used when one or more of the following occurs: ... - the certificate subscriber requests that the CA revoke the certificate for this reason, with the scope of revocation being described below. The scope of revocation depends on whether the certificate subscriber has proven possession of the private key of the certificate. A CSR does NOT prove possession of the certificate’s private key. - If anyone requesting revocation has previously demonstrated or can currently demonstrate possession of the private key of the certificate, then the CA MUST revoke all instances of that key across all subscribers. - If the certificate subscriber requests that the CA revoke the certificate for keyCompromise, and has not previously demonstrated and cannot currently demonstrate possession of the associated private key of that certificate, the CA MAY revoke all certificates associated with that subscriber that contain that public key. The CA MUST NOT assume that it has evidence of private key compromise for the purposes of revoking the certificates of other subscribers, but MAY block issuance of future certificates with that key. == Thanks, Kathleen -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/c09f3e8e-1894-4c74-adcb-c930ce017ae6n%40mozilla.org.
