(Everything below is my personal opinion, not the opinion of my employer.) On Fri, May 24, 2024 at 1:58 PM Mike Shaver <[email protected]> wrote:
> Is it permissible for a CA to issue a certificate to a Subscriber when > they know that this Subscriber does not, in fact, acknowledge and accept > item 8? > I think there is a subtlety here: just because a Subscriber "acknowledges and accepts that the CA is entitled to revoke the certificate immediately" doesn't mean they're actually ready to deal with the fallout of the CA actually doing so. Just because I acknowledge and accept that those close to me will one day pass away, I know I'm certainly not ready to actually manage their wills! On the whole, I certainly agree with your sentiment here: Subscribers who cannot replace a certificate in less than 5 days are not protecting the privacy and the security of their users, and either need to improve their response time or investigate non-WebPKI solutions. And CAs which knowingly issue to such Subscribers (perhaps because that Subscriber has failed to replace a certificate in a prior incident) are asking for trouble. But I also think that issuing to such a Subscriber is not necessarily itself a misissuance. The Subscriber has agreed to a legally binding Subscriber Agreement which includes the necessary warranties. It is not *necessarily* the CA's fault -- though it is their problem -- that the Subscriber has failed to understand the full ramifications of that warranty. Aaron -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAEmnEre6Ntr8gaF0V2pYDmJ2u%2BTaZ-PVFBUEDcnhsvH4jtC_0Q%40mail.gmail.com.
