[cabfpub] [Ticket#2018022801003595] How do you handle mass revocation requests?
Ryan Sleevi
sleevi at google.com
Thu Mar 1 15:40:58 UTC 2018
On Thu, Mar 1, 2018 at 10:34 AM, LeaderTelecom B.V. via Public <
public at cabforum.org> wrote:
> Dear Phillip,
>
> > I don’t understand the reasoning.
> > If a cert is bad, it is bad and we need to revoke it. Period, end of
> story.
>
> I afraid cases when it can affect clients. For example, reseller revoked
> certificate without permission of client. In this case, client do not have
> any new certificate and old one. May be they revoked bad certificates, but
> bulk revocation looks strange.
>
Another case: Reseller was hacked and someone revoked all certificates of
> reseller. Limitations for resellers can protect end users.
>
Resellers don't have the ability to revoke certificates if they're not the
Subscriber (and have not compromised the Subscriber).
> Resellers also should not save private keys of clients.
>
Yes, this is obvious - and no CA should work with a reseller that does do
this, especially without consent.
>
>
> ---
> Kind regards,
> Aleksei Ivanov
>
> 01/03/2018 16:01 - Phillip wrote:
> I don’t understand the reasoning.
>
> If a cert is bad, it is bad and we need to revoke it. Period, end of story.
>
> This looks like punishing resellers for behavior we want to encourage.
>
>
> *From:* Public [mailto:public-bounces at cabforum.org] *On Behalf Of *LeaderTelecom
> B.V. via Public
> *Sent:* Thursday, March 1, 2018 8:06 AM
> *To:* jeremy.rowley at digicert.com; public at cabforum.org
> *Subject:* Re: [cabfpub] [Ticket#2018022801003595] How do you handle mass
> revocation requests?
>
> It will be great to have daily / monthly limit for revocation for each
> reseller. For example, daily limit 1% from all active certificates (minimum
> 10 pcs). Monthly limit can be 20% from all active certificates of
> partner (minimum 100 pcs, maximum: 1000 pcs.).
>
>
> ---
> Kind regards,
> Aleksei Ivanov
>
>
> 28/02/2018 22:34 - Jeremy Rowley via Public wrote:
> Here’s 10 CSRs that people can correlate with the CT logs. I’ll create
> another 100 or so to dispel any doubt.
>
> -----BEGIN CERTIFICATE REQUEST-----
> MIICwDCCAagCAQAwezELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEDAOBgNV
> BAcTB05ld2J1cnkxDzANBgNVBAoTBkplcmVteTEgMB4GA1UECxMXUHJvb2Ygb2Yg
> a2V5IGNvbXByb21pc2UxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJ
> KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMamagziY67jAV1XWBT2UBudz8leqPeZ
> nMGCP9Sct2qc5tDDLz34QIMFO9mv4eDRduMOTG7rwQygKPvI0mAKzKDJCxUvKLYJ
> Th/IALgkHfSvv7UzXUxF2kxviuvTCoP0Oee3DUJl4V614R2BnEtEpjEC4WNZglIU
> ytQiX36u4WQEbU1LGxp16+Rqz55TOnqRaUNlCCVjB99A3dvxYxpa+6qUHt2aeEyW
> WBguBq4sDzOeeLCcnfiCywbDKD4YeqQxvn1EJGBrCQnOf5UdHidJB3ZKKngYWKaZ
> 48nYK2CqM1dq44vIH6EezGq+0Xs8EFJfi2mjDghfziiX1UtpUt2/vUcCAwEAAaAA
> MA0GCSqGSIb3DQEBCwUAA4IBAQA/HM907Hc/rV+olpHW8n1N0UkhfbVHjSegFhQZ
> 2Wn4jFKAargvOCGDChThcnUbquptKpTFVaKJap0JB2T+fCI3WAMPG8CJKakcOjG/
> ZKheN3fNGUiaNk/Wyh/f6XnhWbchIK2OpcsSUAA5ju14bqs2epWl17c0MBPVY5sJ
> wFIBrNVjqji3Zkf7aE9GSMx36d8swfhqwomvFvO5SGKspPm2eRpBPwi8lRORDxz3
> cAoG4TU3/7xs2XAyTE27UQwdrUo7jkVUlCFoWf6DySHEy7CKTz3Vwu9ABtNdBtG9
> oEnWxhIhBPcYOwCrGkiJGuRImFAfLifHWvLUNqGKpz/nEr+c
> -----END CERTIFICATE REQUEST-----
> -----BEGIN CERTIFICATE REQUEST-----
> MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEDAOBgNV
> BAcTB05ld2J1cnkxDzANBgNVBAoTBkplcmVteTEcMBoGA1UECxMTUHJvb2Ygb2Yg
> Y29tcHJvbWlzZTEYMBYGA1UEAxMPd3d3LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG
> 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqS0TSQbsGiJdAYfhuNrGzvXX4XvwToLBq+Hx
> trxKq8zoWIRtimRuH66uRmVy0I/lR78u4FEewAjblaS+v1jTLNopik+taBiFHudn
> /RGliOcKFohp4BYZuSZRRt3uLN5z8Jr5VbRMzZy6SNp3wX3f+Ie/XsAV04TXmbSv
> +V8ZUjxzj1448DsCFL1NNDUcoic/MUcW+fsu9VuxhdETOwrf7CgJ91FgzwHHSMKL
> Mq6DwY6xF90KQ5vInhYhRQ447zoSW1ABnmF+gPxDjXXb5pCh4aua8wOv3AmiZbbn
> Nnkv9y1YXIeBJ1o1zbTt51v62Qu4LeRYVfWjhI1sn8k96DH8mQIDAQABoAAwDQYJ
> KoZIhvcNAQELBQADggEBADgA4tGSyIpAA9uXooQivo9NH7lZH+M4bXpn+nOmNxn/
> aRzmbg9NksRKrQoN0/CkWpiu6vwp31gAG2eIpnvNX9ltzPD2/yHAQCLUZmiGZnUP
> fUdV1t7Z1EZ9Mj7YmlAN5NuQPAu7SL5fZ8UJSzzY1H7AuECU29j81dK2jLxRR1p6
> PaajUGPAvraVTZND4JGQJpIazrF+mVDADdt1aOntr6lj+CC92E5oQxCWtU8uUX7Y
> k5OJdewmNlVIk7wtcuVA2ju3jFlNtHP66DE/UDlcx5X5vE2qFq3aZFAqUAf0XXWW
> bagqqjxfHSQaNVGlWBkJb0eCdD+DW8IK0nuw5GP2rzY=
> -----END CERTIFICATE REQUEST-----
> -----BEGIN CERTIFICATE REQUEST-----
> MIICwDCCAagCAQAwezELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEDAOBgNV
> BAcTB05ld2J1cnkxDzANBgNVBAoTBkplcmVteTEgMB4GA1UECxMXUHJvb2Ygb2Yg
> a2V5IGNvbXByb21pc2UxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJ
> KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMfZnCmYERBmZPEMdK5yvvC0QXjB1FQo
> bu4IC9W1ThdFySkJL6t2MeoxbaTW8hwdATf8JHlRnrpevXStUsYDZShxpsQePZk8
> LUW5OHQ6W/XDbGo4tC69Q3XTYvLeX+3q971mbiyFpBondTKZaKZYAR5omV7e/Olt
> ZzN1yqyX551NsSwDGTrgBqCU2XQzYu9Tl9Nibjl4yCKCG9/JbgGa+gy8j1eKWxIt
> lW7jmJID8s0N2v0ed1lvxr7A3oCiYef4TSi2RjLyZThGw1a7j3QqlBeGIqo89XtG
> 8GxA2nNSGx7gnIceMGGUd0q9iGQl1gc+FOI5oBbyjLcMCty2YInMQucCAwEAAaAA
> MA0GCSqGSIb3DQEBCwUAA4IBAQBQyDCiBYXRMOryHhVVW52kY6wvsgWsPXLR0piQ
> FJKP/drPdqgs/uxY6Nx163sNaiWPEI0tUWSmnuPe43qAyIqJXmnd/C6EqGy+ZI1Y
> lf0XAfqVzJ+tc9639pSkGfeGxU75qdPwWqbwzEEdNZCDR/4QqzhGgMLyvH7icoc0
> 7ikxxwyUiKpP4h3nAV7Fg4EMKeEn/3m+vM0aGnZNx16WHpQF/VnyBM8NimADmO/u
> vywC2TbLNBYYYG7dlLUk7fYfoFY5okel4z2fjmaNhuQQEpffJ366DC41A3fWDgp8
> j1Ok8PfhiVySEwdSCNgpZbHnSwxodk4E3aZ22kCa2f7nOzDd
> -----END CERTIFICATE REQUEST-----
> -----BEGIN CERTIFICATE REQUEST-----
> MIICwDCCAagCAQAwezELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEDAOBgNV
> BAcTB05ld2J1cnkxDzANBgNVBAoTBkplcmVteTEgMB4GA1UECxMXUHJvb2Ygb2Yg
> a2V5IGNvbXByb21pc2UxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJ
> KoZIhvcNAQEBBQADggEPADCCAQoCggEBALjEWXaHdMifi0LbL0GrnYV6uoltTicU
> ywDOkSz/cReCI6gzxb1jpuQu1iVAkmiZUmPk4sPjc4e/OvAo0IyXgVEqBVcB4cmB
> JTdWFj4fde8G9/NWoKIHIRVS4envx4jjRFEh6uDI9o4pDcpfvjh59s1RCjqU9EqX
> DueUoKCk7eynjBxePNYZtZL5xBbBRIeqkjtBALtdnQdkbMTBAHJT4WvK2y9ExtWY
> aJAoAf0ZYmQOeqzXZC4w1FKs7/GEa1qaPjyxe596LvZvOMZbB49gUYou6lhmG+ga
> PaJIGm53/A4PgLnCisEjrVL46YB/k/EzTQtwq5jRg5usIL0/YCJlvCkCAwEAAaAA
> MA0GCSqGSIb3DQEBCwUAA4IBAQCgCziprbbD+aS22QHBMOnjy5r7iYiteKO1uB1o
> zdaKpNBg32+tNyYsNazijAb0rcyFLGAeTfjbWQ5YDbK44qGmKxhO5nyeUkb9/ulI
> scT94Trwu8j77DTxaFNTziETbw5KIBfiC7M5cD+vQ2UexJ8giv9s7ZchXY/hK8TA
> IPY1jfEzioEgjap2bXhZ7GGHhjNg/3DIHCy2dD+eDeTsHhZQ+4ndfMeydg9fn6se
> 20A73X5rFGYKtp3z19stTDjXFDVyf/ngXtyti830ebQgmxRLJRAKV+MSHrdxW4Jj
> qkuW6fmTj2s3x8iTKecd5Q/NOKt2XjOMldc6eKA4VSi3QNuc
> -----END CERTIFICATE REQUEST-----
> -----BEGIN CERTIFICATE REQUEST-----
> MIICwDCCAagCAQAwezELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEDAOBgNV
> BAcTB05ld2J1cnkxDzANBgNVBAoTBkplcmVteTEgMB4GA1UECxMXUHJvb2Ygb2Yg
> a2V5IGNvbXByb21pc2UxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJ
> KoZIhvcNAQEBBQADggEPADCCAQoCggEBALlY3wwEZcO3U4HGuYE6atvaG3vOiOGq
> y1W1Nwv4xVCiVkTECgbumYZyBjq1XxVKC1dNJ2nzxDSIhPNxnJZHA7v5SvSf60+Z
> 1W+QmvznlRfqptKNt9L26LCRAFppjfT5Z0F0fw300e7NawkWKxNyujDsltpFrkNP
> 72SvHWizvMpySx5aclAb/TD6iAY1NQh1PUVdeCJZMtZreD+v3UOKPsnztdRgYe/f
> FbPRYQaxAaKYm0oYUZ0x0kurTjDdGQHtm/0H253KPDFHiC9bWCqljFTqUFT2v2TG
> 2m04pv+wMLFIt8FpQwzi7M7v0O1TD4hBLswUGSAmCxu6fOaMJFUAM1ECAwEAAaAA
> MA0GCSqGSIb3DQEBCwUAA4IBAQCnl8UUGLPd76FgaBtwZo9cktY1reJtImP8/613
> JWwvxCWy5r46LqD9BDPZh4yqO48FLeoaep0+CuCBKjGHQf/xZzpb4USnHcyAZKpR
> Ey4SVlNpHczszoNZoUYdiL2kvWo0NvD7+oF+O9lE3rvxkNk4tRrfe8/xMq6rhhlC
> NzrM6vdR4tIJlVtqQ7j60bMsRQJLZ8rz4Lb36R2JItbXeckWiGwXjv3Bi2r/MxaT
> x7Pvj3oB+amqPg2Muk+HuKvL/s5o7mIBeayt/TRev6a9YeamxhcGxINEjH52uIII
> NKQS007WuE//OAJcWYpCphJ3pPDu2gUbBd2X7vX+JiYO8nhO
> -----END CERTIFICATE REQUEST-----
> -----BEGIN CERTIFICATE REQUEST-----
> MIICwDCCAagCAQAwezELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEDAOBgNV
> BAcTB05ld2J1cnkxDzANBgNVBAoTBkplcmVteTEgMB4GA1UECxMXUHJvb2Ygb2Yg
> a2V5IGNvbXByb21pc2UxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJ
> KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3v00AFGsfyCQWVL2K/EHPLS8hh5vqv
> hC+WJm8E0m1uVmc08tEwPGfW5+nxHTw4Fav8hlhObfOt/KVx2Z1TsBxzPzM89amw
> o7jzx9dpll8v80ueoSE7UUzhYZ5OirRc2q19d1aC9S4Ji3PyGtOiG+kxvabEe/Gf
> YkrJGpOaTB02wa3M3mBGdd3oCCwHLfKB7ylou5W3m6t2GEQjCYUJnL9gUF9rgIo6
> oGxVpEu0fGKTpfjqaM1yX71SWEemvCfbahq8F1L+xwONCl9PQF8JvOxD3L7Mtj3N
> 04cIQIMdIhqthJ88ciaxj5mEN6BONf2oIExw+qJv0pusP0S/DI+/TSECAwEAAaAA
> MA0GCSqGSIb3DQEBCwUAA4IBAQBE0TbWwA8nuVkuwgvOJMTFosp8/ufoAlKDSNlN
> hEKf1sJSlPRmTLpq9Rv9fwpnCbFFE7UN6UuDAYGKOIuwaqad2iTj/t75IYC0jYCd
> l5fLf7hWhnk9iRYufT57iM2Qdmh4zHZxNjuZb+qYAejXoehPmbQgpVVXBB4Vf4I7
> iqY7vMF3AxhNxBmGaCvrWEChjw6DPoYWca+tcUUi/O1P5NPOCjbNrRa5c4AT18nD
> WOhFafjmGq9OeuWKfXjZDeRe53fys0nVeXfpJ20QbGRyW43/6Oj9sVwgxaTu2OXV
> 9AqboNdzQ1vP63VVT+X2KoVES8YheQ+AhOi1grhi9m9J4Fer
> -----END CERTIFICATE REQUEST-----
> -----BEGIN CERTIFICATE REQUEST-----
> MIICwDCCAagCAQAwezELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEDAOBgNV
> BAcTB05ld2J1cnkxDzANBgNVBAoTBkplcmVteTEgMB4GA1UECxMXUHJvb2Ygb2Yg
> a2V5IGNvbXByb21pc2UxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJ
> KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK9NrWXf1zy+R6rkObfXJtS5F+VFtGA1
> SmDakjg4pNqaBUAo9fQReRmjA1SeO6qJQLJLAFtSE7a9oTiSlPlTiq/SdYe6FNfg
> uXRR34kAaCPdXMyBfRq7c5oooRXRHQL4ZCNrPU1Kpcf+XsLIKUX1WQGQBjnPHJhX
> QwTdDDB93FXO/d+vyAmdIycrqDtUYRQPaGR0nCyHCsdioNhZPjH2QuANTFWtEtXY
> O6KKO2AlZrNahflRQcO2YKvH0VDHK8FmibKPDkvoOAo/f/LDn15Uc5ecrLQXl0Lu
> RJMnSGH0B1A13ls6RU5TsCcqVvbUseSSOQJPOxdbGFGTS7jWXSxEdD8CAwEAAaAA
> MA0GCSqGSIb3DQEBCwUAA4IBAQBVAGhyg1C+kcEWKc1aQEU+iOwtLYWrLJIxaywX
> Z9GDMRd0Sy0E/UkciOLWvU/TZybJDZRyoXPmsTZsXMZ1fAzkB8ZPb5rGtin95jud
> 4YePcamJGf3N5AgHD2UmGobn3jbvoC2pGVivGTxTdqcCQJWWdSVXxzw6nH5KcQ/O
> UuOiSmVVvJOD8+oxt4U3XVal6VtumtuhGQSl4wVpC+xAoz/o7UbToBp/WhS1Xlhn
> DjJWuFIRdA8TgieTaYMaLdLNWQkYVY3EYMUPwkO2mPpqNuRGlFbALcRMKoqv7O+A
> VBKcstS41uwsjU1v/5zgC2Po5w0ocbLaXRe34In+Jr3HCMPc
> -----END CERTIFICATE REQUEST-----
> -----BEGIN CERTIFICATE REQUEST-----
> MIICwDCCAagCAQAwezELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEDAOBgNV
> BAcTB05ld2J1cnkxDzANBgNVBAoTBkplcmVteTEgMB4GA1UECxMXUHJvb2Ygb2Yg
> a2V5IGNvbXByb21pc2UxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJ
> KoZIhvcNAQEBBQADggEPADCCAQoCggEBALHvGriP3eFIhYXPP9LB2h17Rn9gaXh/
> zG2gsiPjklF2JSTRoAAKQDyrmREsBP2qp8pkdbaSudPNfGZb1beBB9gw4fToiWYc
> PnAhi0aH2WrEE0U2wGQcOTMpzLhP1y5xyckiBybkoJnuUWxxyyO5DQbMDGEOYRdG
> pA9BHIg1oOKnTKFGgq1lvZrFqNYhZI4rhBSs1PofYr1tfSTlAEC1pWCKPWb4crB8
> 8z1MDwG7c/UEe8qMPGxnTKBtpYszDVaMzH7AV4PZm0M/PZqpZOUA3IoBysi/st59
> ISUGhC3OTjz76/92Ki7a5EiGgxqO24A0+cPpC/u538OfZuJp269pXdECAwEAAaAA
> MA0GCSqGSIb3DQEBCwUAA4IBAQAOIBi1VCs9voFdKDWfB2algBka2GHEL+uCTUl4
> r5ooCJUafP69S0YFu9y1XQfIwSSioxHer8st1P1qGXc62LHtRRWk6GHKQ+/8pPiL
> U9gXsGFovV2K5tMz5laTLrwWCpZ9OgCk3EemZiFSVjCvOnaOC2PKTK5VS018joTJ
> xzbnHuzhS4yNwPtUz3VR6zULk2+tRHCYGROt6YuKwDJmSLO/qQTveBEh5QklQ3zs
> 26/1j9mHirOQZIo0kgBfere4lkCzeweiO8rPJXJNhhMjCRbDP0lKscXzQH/8OJLf
> Y5W5uOfsoGp9Tnc36mcHIHhxfwLb+SDyB3FKsX6kFCp62vuQ
> -----END CERTIFICATE REQUEST-----
> -----BEGIN CERTIFICATE REQUEST-----
> MIICwDCCAagCAQAwezELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEDAOBgNV
> BAcTB05ld2J1cnkxDzANBgNVBAoTBkplcmVteTEgMB4GA1UECxMXUHJvb2Ygb2Yg
> a2V5IGNvbXByb21pc2UxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJ
> KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMNFOlVBa9P2Vvb4CCsgJyvUZxYaRlK4
> SEPH7z4cvIIu68p4yi8aaMkFs4VaPg/2PtIGFHNQjnj4x2URg+7ocf3U5qko9W0W
> ZMeM5QU9i7lHfZnGQ+SQ4q+AFwzjSbwO4wdTzPpzjJdUKmtOguILT8j/0uTn/Q/W
> PylzfmdgzPU0BUUTBuz9uGzHY3480ctKib81ZvALSwSX++Qeh+QCrueJZgS3hSYf
> dgZCXUN85+tN+xCLXNg/YwsHa6eJoBfBaUW7aokjtRhl0A+SLsyfc7agbnvhJzHO
> NywHa4SD9pRwhbdaO5/zKcgCDUlrJQnDWojc8qiAcEvmyrhAJhzdxjMCAwEAAaAA
> MA0GCSqGSIb3DQEBCwUAA4IBAQBtN41DLhpzP82LZOXE0Dk1gNzUWHAAt85GQoOU
> lcN3jrycJFarFmliz4R46uQzvqfhPpaBb5z9VyJP0UzQVoHhy37fkOLarnVkHx/n
> JPBMZ4cCoDHQLsVYs7bt+hjzGbaWPY5G/NkYiGaOL6azVCMj3wyS1lIbrywHGPqO
> JLjBMNUUyiXpVqmkBgPv1j7dwgdew9uxwvGO7OMuZuF5vv2gCRZoz7sBiyd6TL6e
> JvvnK3Rd5/PlYy2dLHpMdRNtg2YZzQXhyJkTxdSrnbgoc0SVaMebuI9HIOmKkF0A
> 1ftX4BfaPeO4nuQRq7jZ9sfMZUVp8nOAOdb13U4p43s0Cvqy
> -----END CERTIFICATE REQUEST-----
> -----BEGIN CERTIFICATE REQUEST-----
> MIICwDCCAagCAQAwezELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEDAOBgNV
> BAcTB05ld2J1cnkxDzANBgNVBAoTBkplcmVteTEgMB4GA1UECxMXUHJvb2Ygb2Yg
> a2V5IGNvbXByb21pc2UxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJ
> KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMR5uqfSJeKarT1ZgGT+/2pwYWnmllEU
> Yy5Tc33IoIV4FL9nr45rtBnyY0pXHUc1zqjQZspoAynFJBOY3NB2zBf6CQb3/2R7
> mry8PxFlJDXc9M2iQLHpbSQq+P8ZOZ8mXdFRThtW5Xl9orLyGnFBXak49MF4HuyR
> ff492p+otlFrpzXIAIV4dRnkKxeKDCvPIHLeUHG3slgY/Gs6vdj88Akp09EY7pHn
> AGiEAuJPTzINJ4yLXJJLRH18VXIlg/35KeUE/x2vPCwEDXmVYOEhZnm3ZpF6L3dg
> 7wlmNWIJMCyBbO9E0rFp2JfSZir3YD2aouOiX+JF83AIXdRJwoNei4sCAwEAAaAA
> MA0GCSqGSIb3DQEBCwUAA4IBAQBl2D2FccAcixqfbOTCeE01bh6jXInxWp3gX0tt
> LgrB9DuWxNp+KStg2rptM060cjJZxwZ5x6Fzqpt8/jCJkjSPLJSOKeXuPAxKGENO
> l+32xhc1tosW/pjD5wF0VllZ6h4C7gzwiHWvXSAHvOVEI/0flChzCc+Afm1CXUdf
> vAJakNPu5TgiR1VM6w1cQbzgMumZ0eFv2UOZDn51WJ3E0hGzBxQWrF2LUBuBMNLu
> bx8uVGudoiJiAZg8e7Wq+oe15vhsSKvAFMpbnleyjKUw8eZ7zU9OH6VtmTPsmrDP
> /YFWxeNbJeJTJ8BTuBwXIVZ2seYp5Bjz5+ZDC6K1uQsNdlvm
> -----END CERTIFICATE REQUEST-----
>
> *From:* Ryan Sleevi <sleevi at google.com>
> *Sent:* Wednesday, February 28, 2018 2:01 PM
> *To:* Geoff Keating <geoffk at apple.com>
> *Cc:* CA/Browser Forum Public Discussion List <public at cabforum.org>;
> Jeremy Rowley <jeremy.rowley at digicert.com>
> *Subject:* Re: [cabfpub] How do you handle mass revocation requests?
>
>
>
> On Wed, Feb 28, 2018 at 3:46 PM, Geoff Keating <geoffk at apple.com> wrote:
>
>
> > On 28 Feb 2018, at 11:08 am, Ryan Sleevi <sleevi at google.com> wrote:
> >
> >
> >
> > On Wed, Feb 28, 2018 at 1:59 PM, Geoff Keating via Public <
> public at cabforum.org> wrote:
> >> This raises a question about the MDSP policy and CAB Forum
> requirements. Who is the subscriber in the reseller relation? We believe
> this to be the key holder. However, the language is unclear.
> >
> > ‘Subscriber’ is a defined term in the BRs:
> > Subscriber: A natural person or Legal Entity to whom a Certificate is
> issued and who is legally bound by a Subscriber Agreement or Terms of Use.
> >
> > That’s pretty clear and can’t be stretched to cover a reseller—a
> reseller won’t be able to comply with a Subscriber Agreement.
> >
> > At the risk of stretching things, I want to point out that taking this
> interpretation requires determining whether or not the Reseller is acting
> as an Applicant Representative during the process.
> >
> > In this case, is the Reseller legally binding the "user" (for lack of
> better word) to a Subscriber Agreement? If so, how does the CA determine
> that the Reseller is an authorized Applicant Representative, and thus
> entitled to legally bind the "user" to the Subscriber Agreement?
>
> There are several ways this could be done. However there is no question
> about the result, because that’s covered by 4.1.2:
> Prior to the issuance of a Certificate, the CA SHALL obtain the following
> documentation from the Applicant:
>
> • A certificate request, which may be electronic; and
>
> • An executed Subscriber Agreement or Terms of Use, which may be
> electronic
>
> So after a CA issues the certificate, it’s easy to find out who the
> Subscriber was (for some definition of ‘who’): you get the CA’s copy of the
> Subscriber Agreement and look for the bit where it says “This is an
> agreement between ______ and <the CA>.” and see what was written in the
> blank. (and yes, it does have to be between the Subscriber and the CA, not
> between the Subscriber and anyone else, see the definition of ’Subscriber
> Agreement’.)
>
> Right, we're in violent agreement here :)
>
>
> In addition under 9.6.1 item 6, the CA ‘represents and warrants’ that “the
> Subscriber and CA are parties to a legally valid and enforceable Subscriber
> Agreement that satisfies these Requirements…” and under 9.6.3, "The CA
> SHALL implement a process to ensure that each Subscriber Agreement or Terms
> of Use is legally enforceable against the Applicant."
>
> Here's where I'm saying I've seen fuzziness, with respect to the Reseller
> being nominated as an Applicant Representative (effectively), thus binding
> the Agreement between the user (who is now the Subscriber) and <the CA>.
> We've left under-specified how the Applicant Representative is authorized
> (under than 'express authority') - other than the 3.2.5 case.
>
> To be clear: I don't think this is a defensible position, but I'm saying
> that based on how some of the issuance practices (or, more aptly, based on
> complaints we've heard re: various API integrations, including those of
> former CAs no longer members), this does seem an interpretation that some
> have advanced. The CA has defined a process (the Applicant Representative
> agreed), but it's not a very ... good... process. The CA would be at fault,
> but this is where the messiness is.
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180301/4e41e73f/attachment-0003.html>
More information about the Public
mailing list