It can be very difficult for a CA to determine who is the legal owner of a domain, thus taking action (e.g. revoking) on that basis creates significant liability. The BRs should not introduce additional rules requiring such determinations.
A couple of ideas that don't depend on determining legal ownership: 1) Let anyone revoke a certificate if they can demonstrate control of the certificate's private key. Let's Encrypt does this, it has worked out well. 2) Allow people to revoke certificates if they can re-validate for all of the domains in the cert. The Let's Encrypt API also allows this. Both of these methods are clearly defined and can be fully automated. On Wed, Jan 3, 2018 at 10:59 AM, Wayne Thayer via Public <[email protected]> wrote: > Matthias, > > I think you've raised a valid point. I'm working on ballot 213 "Revocation > Timeline Extension" that makes changes to this section of the BRs, and I > will draft some language to attempt to address this. If you have any ideas > on how this requirement should be stated, please let me know. > > Thanks, > > Wayne >> >> >> I can't propose a ballot as I'm not a CAB member but adding the >> requirement of having to revoke certificates on the domain owner's request >> should probably be considered. >> >> > > > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public > -- Josh Aas Executive Director Internet Security Research Group Let's Encrypt: A Free, Automated, and Open CA _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
