[cabfpub] 9.6.3 and Private Key use

Josh Aas josh at letsencrypt.org
Mon Jun 20 18:08:01 UTC 2016


BR Section 9.6.3 point 5 says:

"Reporting and Revocation: An obligation and warranty to promptly
cease using a Certificate and its associated Private Key, and promptly
request the CA to revoke the Certificate, in the event that: (a) any
information in the Certificate is, or becomes, incorrect or
inaccurate, or (b) there is any actual or suspected misuse or
compromise of the Subscriber’s Private Key associated with the Public
Key included in the Certificate;"

There is a problem here, which is that this requires a subscriber to
stop using a private key just because information in a certificate is
inaccurate or incorrect. People should stop using a cert with
inaccurate or incorrect information, but they shouldn't be required to
stop using a key pair unless there is known or suspected compromise.

This is particularly problematic for HPKP.

I'd like to see this get fixed. Thoughts?

-- 
Josh Aas
Executive Director
Internet Security Research Group
Let's Encrypt: A Free, Automated, and Open CA



More information about the Public mailing list