On 01/09/17 18:51, Wayne Thayer via Public wrote: > I have a question related to the (unchanged) requirement that the CA > revoke the certificate within 24 hours if ‘the subscriber requests in > writing that the CA revoke the Certificate’. Presumably, this is the > subscriber sending an email to the CA’s problem reporting email address. > If so, I would hope that the CA is doing something to confirm that the > email came from the actual Subscriber. If the CA can’t confirm that the > email came from the Subscriber within 24 hours, then what?
I would say that if you can't confirm it's the Subscriber, then the Subscriber has not requested in writing that you revoke the certificate. in other words, the timer starts from the time you validate that the email is genuine, if there is any doubt. If people feel this introduces a loophole, let's think how to fix it. > I think this > requirement would be improved if it allowed the CA to provide an > authenticated Subscriber with a mechanism for revoking the certificate > themselves, possibly in combination with a requirement that the CA > provide a mechanism for the Subscriber to recover lost credentials. I don't think the requirement _forbids_ this, so in that sense the requirement does "allow" it. Instead of "allow", do you actually mean "require"? Gerv _______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public
