CRL/OCSP reposne is only valid for about a week, and writing new
CRL/OCSP response by itself a new action, even if it has same set of
certificates in it, which TRO can forbid.
I think this is something can closeable, at worst case it'd just cause
court send officers to forbid CA people from touch HSM
2025-06-09 오전 9:03에 Matt Palmer 이(가) 쓴 글:
On Sun, Jun 08, 2025 at 04:37:24AM -0700, Suchan Seo wrote:
Wouldn't court just force CA to unrevoke TRO'ed certificate in that case?
An order to take an action is a very different beast from an order to
_not_ take an action. The hint is in the name: a _restraining_ order.
It stops an entity from doing something which may potentially cause the
plaintiff harm, to give a court time to consider the situation more
carefully. For more information, consult your friendly neighbourhood
lawyer.
However, I'd be more than happy for Mozilla to close that loophole, too,
by making it clear that any "unrevocation" is another insta-kick action.
That should be less controversial than my other suggestions, because (as
far as I'm aware) there's no historical precedent of a CA ever
unrevoking a certificate in contravention of the BRs, so there's no
"inertia" of previous unsanctioned bad behaviour to overcome.
- Matt
--
You received this message because you are subscribed to the Google Groups
"dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dev-security-policy+unsubscr...@mozilla.org.
To view this discussion visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/c935904e-5cbe-469f-861c-e13dc7a3d436%40gmail.com.
