Assuming that the subscriber agreement provided for an annual fee for certificates issued under the agreement, or incorporated such contractual terms with the subscriber, it seems like revocation for privilegeWithdrawn would be the correct code. It also appears that Mozilla's new policy would allow for that in the bullet under privilegeWithdrawn which reads "the CA operator is made aware that the certificate subscriber has violated one or more of its material obligations under the subscriber agreement or terms of use".
Presumably the use case here is providing a certificate with max permissible validity for ease of install/maintenance but billing for said certificate on a subscription basis without requiring full payment for the period up front? On Tue, Aug 9, 2022 at 1:52 PM Tavis Ormandy <[email protected]> wrote: > Apologies if I send this twice, I tried posting it via gmane and I think it > failed. > > I understand the BRs require revocation in some circumstances, but are > there any > limits on when an issuer can revoke? Can they revoke for any reason > whatsoever? > Is the reason code required to be honest? > > I was recently surprised by an issuer demanding maintenance fees to *not* > revoke > a certificate. The certificate was not compromised and not expiring. Is > this > permitted by the BRs? It feels like misusing a mechanism that was intended > to > protect the PKI, not extract profit. > > I was being lazy and not migrating a very old system to ACME. I've > migrated it now, because that felt really gross. I don't know what reason > code > they use for the revocation, I guess I'm curious if they will lie. > > Tavis. > > -- > _o) $ lynx lock.cmpxchg8b.com > /\\ _o) _o) $ finger [email protected] > _\_V _( ) _( ) @taviso > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220809175618.GA9423%40thinkstation.cmpxchg8b.net > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPAx59ExNAjw53WrkN432pWBdbRvwdiCfciPQUKZ8%3DDjkdocXQ%40mail.gmail.com.
