In so far as it's not really a written rule, I wonder if what was described here would really qualify in the same way?
This sounds less like it was about a customer amidst migration and more like it was a "sell long validity cert on `credit` and collect payment over cert lifetime". On Wed, Aug 10, 2022 at 12:58 PM Jeremy Rowley <[email protected]> wrote: > Well yes, but actually no. Google has previously said CAs caught in > behavior where revocation is used as a hammer on migrating customers would > be penalized. Although Ryan Sleevi isn't with Google now, I assume that > policy still stands. You can report bad acting CAs there. See > https://groups.google.com/g/mozilla.dev.security.policy/c/nU1bIZ9LgjU/m/sJC8TtAgCAAJ > > It would be nice to see this rule actually canonized somewhere instead of > it just being several old discussions on MDSP. > > -----Original Message----- > From: [email protected] <[email protected]> > On Behalf Of Tavis Ormandy > Sent: Wednesday, August 10, 2022 11:24 AM > To: Matthew Hardeman <[email protected]> > Cc: [email protected] > Subject: Re: BR revocation question > > On Wed, Aug 10, 2022 at 11:13:11AM -0500, Matthew Hardeman wrote: > > Assuming that the subscriber agreement provided for an annual fee for > > certificates issued under the agreement, or incorporated such > > contractual terms with the subscriber, it seems like revocation for > > privilegeWithdrawn would be the correct code. It also appears that > > Mozilla's new policy would allow for that in the bullet under > > privilegeWithdrawn which reads "the CA operator is made aware that the > > certificate subscriber has violated one or more of its material > > obligations under the subscriber agreement or terms of use". > > I suppose so. It's dissapointing, it allows CAs to use revocation as a > sabre to rattle to keep subscribers acquiescent. > > > Presumably the use case here is providing a certificate with max > > permissible validity for ease of install/maintenance but billing for > > said certificate on a subscription basis without requiring full > > payment for the period up front? > > Sure, "protection racket" is such an ugly term :) > > Tavis. > > -- > _o) $ lynx lock.cmpxchg8b.com > /\\ _o) _o) $ finger [email protected] > _\_V _( ) _( ) @taviso > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220810172355.GA23189%40thinkstation.cmpxchg8b.net > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPAx59FRYaMEHF0CcM37nLGW5%3D8VL95SdL5hNYPuUL3u8FKf6g%40mail.gmail.com.
