The general instruction I got was you couldn’t use revocation as a threat to keep customers from switching CAs. That was pretty clear from Ryan. Other bad actions were implied as prohibited, like revocation just because a contract terminated. Like I said, I’d love to see it written down as an official policy as the bounds and applicability are hearsay. ________________________________ From: [email protected] <[email protected]> on behalf of Matthew Hardeman <[email protected]> Sent: Wednesday, August 10, 2022 12:21:56 PM To: Jeremy Rowley <[email protected]> Cc: Tavis Ormandy <[email protected]>; [email protected] <[email protected]> Subject: Re: BR revocation question
In so far as it's not really a written rule, I wonder if what was described here would really qualify in the same way? This sounds less like it was about a customer amidst migration and more like it was a "sell long validity cert on `credit` and collect payment over cert lifetime". On Wed, Aug 10, 2022 at 12:58 PM Jeremy Rowley <[email protected]<mailto:[email protected]>> wrote: Well yes, but actually no. Google has previously said CAs caught in behavior where revocation is used as a hammer on migrating customers would be penalized. Although Ryan Sleevi isn't with Google now, I assume that policy still stands. You can report bad acting CAs there. See https://groups.google.com/g/mozilla.dev.security.policy/c/nU1bIZ9LgjU/m/sJC8TtAgCAAJ It would be nice to see this rule actually canonized somewhere instead of it just being several old discussions on MDSP. -----Original Message----- From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> On Behalf Of Tavis Ormandy Sent: Wednesday, August 10, 2022 11:24 AM To: Matthew Hardeman <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: Re: BR revocation question On Wed, Aug 10, 2022 at 11:13:11AM -0500, Matthew Hardeman wrote: > Assuming that the subscriber agreement provided for an annual fee for > certificates issued under the agreement, or incorporated such > contractual terms with the subscriber, it seems like revocation for > privilegeWithdrawn would be the correct code. It also appears that > Mozilla's new policy would allow for that in the bullet under > privilegeWithdrawn which reads "the CA operator is made aware that the > certificate subscriber has violated one or more of its material > obligations under the subscriber agreement or terms of use". I suppose so. It's dissapointing, it allows CAs to use revocation as a sabre to rattle to keep subscribers acquiescent. > Presumably the use case here is providing a certificate with max > permissible validity for ease of install/maintenance but billing for > said certificate on a subscription basis without requiring full > payment for the period up front? Sure, "protection racket" is such an ugly term :) Tavis. -- _o) $ lynx lock.cmpxchg8b.com<http://lock.cmpxchg8b.com> /\\ _o) _o) $ finger [email protected]<mailto:[email protected]> _\_V _( ) _( ) @taviso -- You received this message because you are subscribed to the Google Groups "[email protected]<mailto:[email protected]>" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:dev-security-policy%[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220810172355.GA23189%40thinkstation.cmpxchg8b.net. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPAx59FRYaMEHF0CcM37nLGW5%3D8VL95SdL5hNYPuUL3u8FKf6g%40mail.gmail.com<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPAx59FRYaMEHF0CcM37nLGW5%3D8VL95SdL5hNYPuUL3u8FKf6g%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/BYAPR14MB2600EA8E1149CCD3B344685A8E659%40BYAPR14MB2600.namprd14.prod.outlook.com.
