On Fri, Aug 24, 2018 at 1:42 AM Dimitris Zacharopoulos via Servercert-wg < [email protected]> wrote:
> I'm not sure if this has been discussed before (sorry if I missed did), > but I would like to bring up the fact that there might be Subscribers > who suffer a Key Compromise (like the ones distributed with their own > software or embedded within customer devices), who would be willing to > leave the compromised Certificate/Key out there until they find a way to > replace it (that might take more than 24 hours or 5 days). This is a > case where the Subscriber weighs the impact of Availability in the > security properties of the offered service more than Confidentiality. > I don't agree that the Subscriber's wishes should trump the Relying Parties. Otherwise, we never would have deprecated SHA-1 or RSA-1024. > > If a Subscriber doesn't want their Certificate revoked because that > might have a significant impact/damage in their service Availability, > isn't that something the ecosystem should respect and allow? Shouldn't > this be treated on a case-by-case basis? I would be in favor of entering > clauses in the BRs to allow more than 5 days before revocation for > certain such cases, provided that the CA and the affected Subscriber > would have to disclose the case to the CA/B Forum, as Ryan suggested in > previous discussions. Just disclosing the fact should be enough. It > would just be an additional option for the CAs and the Subscribers that > would improve today's practices. As Jeremy demonstrated, there are > several real cases today, where CAs try to extend the 24hours revocation > window in order to balance that Availability risk for the Subscribers > and -I might add- the Relying Parties that want to have access to the > Subscriber's services. I believe there are RPs out there that value > availability more than confidentiality. I'm not one of them, but... :) > > > Thoughts? > Dimitris. > > > _______________________________________________ > Servercert-wg mailing list > [email protected] > http://cabforum.org/mailman/listinfo/servercert-wg >
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
