On Tue, Jun 18, 2024 at 6:41 PM Watson Ladd <[email protected]> wrote: > > Hello, > > In a discussion on Bugzilla we approached the following hypothetical scenario: > 1: A CA believes they have miss-issued a certificate > 2: They fail to revoke in 5 days > 3: They discover that in fact they issued correctly. > > My question is simple: is the failure to timely revoke a violation of > the baseline requirements? I believe it is for the following reason. A > CAs past behavior is an indication of the degree future trust that can > be put in it. How it acts in this case is evidence of how it acts with > other mississuance cases. It also seems to add a great deal of moral > luck if the reason there wasn't a problem was unknown to the CA. > Imagine that they thought DNS validation wasn't working properly, but > in fact there had been proper DNS checks working all during that time. > They would be safe by accident. I do see how one could read the BRs > otherwise, but I don't think that's as good a reading.
I think the important part to inflect upon is the CA's belief from [0-5] days. That's the time the CA and community believed the certificate was mis-issued, and the revocation should have occured. If the certificate in question expired on day 6, would that change the fact it was not revoked within 5 days? Jeff -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAH8yC8kiWKTfMZRVr6UOamiy7jHUzw1dcUxzi97ezFawZoZrBA%40mail.gmail.com.
