Eddy Nigg wrote:
On 02/05/2009 04:23 AM, Kyle Hamilton:
Once a key is in compromised state, it can never become uncompromised
again. Enforcing this is part of the trust that I have in the
certification authorities -- and why I don't currently trust any of
them to tell me who anyone happens to be, since any CPS which states
that certificate revocation can only be done at the request of the
Haha, it will be most amusing if you'll find such a CPS. :-)
I agree that it would be unusual for a CPS to state that certificate
revocation could be done only at the request of the subscriber. However
I *can* imagine a CPS where this would be ambiguous. For example, your
StartCom CPS is very slightly ambiguous, since it states that "A
certificate will be revoked ..." but doesn't explicitly state that it's
StartCom that will be doing the revoking; it also doesn't contain any
language about this being done regardless of the subscriber's feelings
about the matter.
Note that I don't really think your CPS is problematic in any sense,
it's that I can imagine CPSs where the ambiguity would be somewhat
greater. For example, suppose a CPS said something like "Causes for
certificate revocation include ... compromise of the private key". This
leaves it somewhat unclear whether the CA can unilaterally revoke or not.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto