Ben -- thanks for the proposal. Random revocation is likely to be painful for subscribers without automation around eminent revocation, which ARI is expected to address. Would it make sense to couple this proposal to a specific adoption rate of ARI amongst subscribers?
Andrew On Wed, Dec 18, 2024 at 7:48 PM 'Ben Wilson' via [email protected] <[email protected]> wrote: > Dear Rich, > > Thank you for your question. > > I think it would be advisable for a CA operator’s mass-revocation testing > plan to include an immediate notice to all customers whose certificates > were randomly selected because we would want to minimize disruption to > server operations while testing the CA’s ability to revoke and replace > certificates promptly. > > That said, CAs should consider performing occasional tests that go beyond > providing pre-generated replacement certificates, in which subscribers > generate and submit new public keys. That would address the risks from a > widespread incident, like Heartbleed, where the potential compromise of > private keys necessitated key pair replacement. Preparing for such > scenarios ensures that subscribers will be able to quickly perform the > tasks of key pair generation, public key submission, and certificate > installation. > > Much to discuss. > > Thanks again, > > Ben > > On Wed, Dec 18, 2024 at 12:44 PM Rich Salz <[email protected]> wrote: > >> As part of the discussions on this proposal, namely that CAs “maintain >>> and test mass revocation plans annually, including the revocation of 30 >>> randomly chosen certificates within a 5-day period,” I’ve received a few >>> comments via private channels, and to ensure transparency and foster >>> discussion, I am sharing them here anonymously: >>> >> Would a CA be allowed to pre-notify customers whose certs were randomly >> selected and {pre/re}-issue them replacements? >> > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZjqvpanXnx-eX7_%3D3E3jE5isKW1h4cD9-_jCmmBS8DCQ%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZjqvpanXnx-eX7_%3D3E3jE5isKW1h4cD9-_jCmmBS8DCQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPdVL6UdzMNOC7DKX1De5VpYh604ge6u7cCBwqMSSphCChs1Kg%40mail.gmail.com.
