From: Ryan Sleevi [mailto:[email protected]] Sent: Thursday, March 1, 2018 10:41 AM To: LeaderTelecom B.V. <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Cc: Phillip <[email protected]> Subject: Re: [cabfpub] [Ticket#2018022801003595] How do you handle mass revocation requests? On Thu, Mar 1, 2018 at 10:34 AM, LeaderTelecom B.V. via Public <[email protected] <mailto:[email protected]> > wrote: Dear Phillip, > I don’t understand the reasoning. > If a cert is bad, it is bad and we need to revoke it. Period, end of story. I afraid cases when it can affect clients. For example, reseller revoked certificate without permission of client. In this case, client do not have any new certificate and old one. May be they revoked bad certificates, but bulk revocation looks strange. Another case: Reseller was hacked and someone revoked all certificates of reseller. Limitations for resellers can protect end users. Resellers don't have the ability to revoke certificates if they're not the Subscriber (and have not compromised the Subscriber). Resellers also should not save private keys of clients. Yes, this is obvious - and no CA should work with a reseller that does do this, especially without consent. Obvious but asked for repeatedly by folk who do not understand why it is a terrible idea. There are a few use cases where I can see bulk revocation by a reseller being necessary. One would be the case in which the reseller discovers that a particular IP address, credit card or other common data object is involved in issue of a group of certs. If they issue 1000 certs and ten are used for phishing ten minutes later, delete the lot. The other case would be where the reseller is issuing certs for a device they make themselves. A cable box, file server or the like. And they discover that they have mucked up the random number generator so they are all bad certs. That has happened multiple times.
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
