[cabfpub] Ballot 213 - Revocation Timeline Extension
Gervase Markham
gerv at mozilla.org
Mon Sep 4 09:22:02 UTC 2017
On 01/09/17 18:51, Wayne Thayer via Public wrote:
> I have a question related to the (unchanged) requirement that the CA
> revoke the certificate within 24 hours if ‘the subscriber requests in
> writing that the CA revoke the Certificate’. Presumably, this is the
> subscriber sending an email to the CA’s problem reporting email address.
> If so, I would hope that the CA is doing something to confirm that the
> email came from the actual Subscriber. If the CA can’t confirm that the
> email came from the Subscriber within 24 hours, then what?
I would say that if you can't confirm it's the Subscriber, then the
Subscriber has not requested in writing that you revoke the certificate.
in other words, the timer starts from the time you validate that the
email is genuine, if there is any doubt. If people feel this introduces
a loophole, let's think how to fix it.
> I think this
> requirement would be improved if it allowed the CA to provide an
> authenticated Subscriber with a mechanism for revoking the certificate
> themselves, possibly in combination with a requirement that the CA
> provide a mechanism for the Subscriber to recover lost credentials.
I don't think the requirement _forbids_ this, so in that sense the
requirement does "allow" it. Instead of "allow", do you actually mean
"require"?
Gerv
More information about the Public
mailing list