[cabfpub] Revocation as a domain owner

Josh Aas josh at letsencrypt.org
Tue Jan 23 02:03:11 UTC 2018

It can be very difficult for a CA to determine who is the legal owner
of a domain, thus taking action (e.g. revoking) on that basis creates
significant liability. The BRs should not introduce additional rules
requiring such determinations.

A couple of ideas that don't depend on determining legal ownership:

1) Let anyone revoke a certificate if they can demonstrate control of
the certificate's private key. Let's Encrypt does this, it has worked
out well.

2) Allow people to revoke certificates if they can re-validate for all
of the domains in the cert. The Let's Encrypt API also allows this.

Both of these methods are clearly defined and can be fully automated.

On Wed, Jan 3, 2018 at 10:59 AM, Wayne Thayer via Public
<public at cabforum.org> wrote:
> Matthias,
> I think you've raised a valid point. I'm working on ballot 213 "Revocation
> Timeline Extension" that makes changes to this section of the BRs, and I
> will draft some language to attempt to address this. If you have any ideas
> on how this requirement should be stated, please let me know.
> Thanks,
> Wayne
>> I can't propose a ballot as I'm not a CAB member but adding the
>> requirement of having to revoke certificates on the domain owner's request
>> should probably be considered.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

Josh Aas
Executive Director
Internet Security Research Group
Let's Encrypt: A Free, Automated, and Open CA

More information about the Public mailing list