Re: When should honest subscribers expect sudden (24 hours / 120 hours) revocations?

2019-01-02 Thread Jakob Bohm via dev-security-policy
Happy new year, On 30/12/2018 01:32, Peter Bowen wrote: > > > On Thu, Dec 27, 2018 at 8:43 PM Jakob Bohm via dev-security-policy > > wrote: > > So absent a bad CA, I wonder where there is a rule that subscribers > should be ready to

Re: When should honest subscribers expect sudden (24 hours / 120 hours) revocations?

2018-12-30 Thread Nick Lamb via dev-security-policy
On Sat, 29 Dec 2018 16:32:46 -0800 Peter Bowen via dev-security-policy wrote: > Consider the following cases: > > - A company grows and moves to larger office space down the street. > It turns out that the new office is in a different city even though > the move was only two blocks away. The

Re: When should honest subscribers expect sudden (24 hours / 120 hours) revocations?

2018-12-29 Thread Peter Bowen via dev-security-policy
On Thu, Dec 27, 2018 at 8:43 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > So absent a bad CA, I wonder where there is a rule that subscribers > should be ready to quickly replace certificates due to actions far > outside their own control. Consider

Re: When should honest subscribers expect sudden (24 hours / 120 hours) revocations?

2018-12-29 Thread Matt Palmer via dev-security-policy
On Sat, Dec 29, 2018 at 06:26:09PM -0500, Lee via dev-security-policy wrote: > On 12/29/18, Ryan Sleevi wrote: > > On Sat, Dec 29, 2018 at 10:24 AM Lee wrote: > > > >> > It does not seem like a productive discussion will emerge if the > >> > ontology > >> > is going to be honest/dishonest

Re: When should honest subscribers expect sudden (24 hours / 120 hours) revocations?

2018-12-29 Thread Lee via dev-security-policy
On 12/29/18, Ryan Sleevi wrote: > On Sat, Dec 29, 2018 at 10:24 AM Lee wrote: > >> > It does not seem like a productive discussion will emerge if the >> > ontology >> > is going to be honest/dishonest participants. >> >> I think it's an excellent distinction. An honest subscriber won't >>

Re: When should honest subscribers expect sudden (24 hours / 120 hours) revocations?

2018-12-29 Thread Ryan Sleevi via dev-security-policy
On Sat, Dec 29, 2018 at 10:24 AM Lee wrote: > > It does not seem like a productive discussion will emerge if the ontology > > is going to be honest/dishonest participants. > > I think it's an excellent distinction. An honest subscriber won't > deliberately attempt to spread malware. But I like

Re: When should honest subscribers expect sudden (24 hours / 120 hours) revocations?

2018-12-29 Thread Jakob Bohm via dev-security-policy
On 29/12/2018 15:32, Ryan Sleevi wrote: > On Fri, Dec 28, 2018 at 11:21 PM Jakob Bohm via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >>> My guess is all CAs have something like >>> https://www.digicert.com/certificate-terms/ >>> 15. Certificate Revocation.

Re: When should honest subscribers expect sudden (24 hours / 120 hours) revocations?

2018-12-29 Thread Lee via dev-security-policy
On 12/29/18, Ryan Sleevi via dev-security-policy wrote: > On Fri, Dec 28, 2018 at 11:21 PM Jakob Bohm via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> > My guess is all CAs have something like >> >https://www.digicert.com/certificate-terms/ >> > 15. Certificate

Re: When should honest subscribers expect sudden (24 hours / 120 hours) revocations?

2018-12-29 Thread Lee via dev-security-policy
On 12/28/18, Jakob Bohm via dev-security-policy wrote: > On 28/12/2018 19:44, Lee wrote: >> On 12/27/18, Jakob Bohm via dev-security-policy >> wrote: >>> Looking at the BRs, specifically BR 4.9.1, the reasons that can lead >>> to fast revocation fall into a few categories / groups: >> <..

Re: When should honest subscribers expect sudden (24 hours / 120 hours) revocations?

2018-12-29 Thread Ryan Sleevi via dev-security-policy
On Fri, Dec 28, 2018 at 11:21 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > My guess is all CAs have something like > >https://www.digicert.com/certificate-terms/ > > 15. Certificate Revocation. DigiCert may revoke a Certificate without > > notice

Re: When should honest subscribers expect sudden (24 hours / 120 hours) revocations?

2018-12-28 Thread Jakob Bohm via dev-security-policy
On 28/12/2018 19:44, Lee wrote: > On 12/27/18, Jakob Bohm via dev-security-policy > wrote: >> Looking at the BRs, specifically BR 4.9.1, the reasons that can lead >> to fast revocation fall into a few categories / groups: > <.. snip ..> >> So absent a bad CA, I wonder where there is a rule

Re: When should honest subscribers expect sudden (24 hours / 120 hours) revocations?

2018-12-28 Thread Lee via dev-security-policy
On 12/27/18, Jakob Bohm via dev-security-policy wrote: > Looking at the BRs, specifically BR 4.9.1, the reasons that can lead > to fast revocation fall into a few categories / groups: <.. snip ..> > So absent a bad CA, I wonder where there is a rule that subscribers > should be ready to

When should honest subscribers expect sudden (24 hours / 120 hours) revocations?

2018-12-27 Thread Jakob Bohm via dev-security-policy
Looking at the BRs, specifically BR 4.9.1, the reasons that can lead to fast revocation fall into a few categories / groups: (I will reference the numbered items with 24 hour limit as A#, the numbered items with 120 hour limit as B# and the numbered items in 4.9.1.2 as C#). (Some of the