[cabfpub] [Ticket#2018022801003595] How do you handle mass revocation requests?

Phillip philliph at comodo.com
Thu Mar 1 16:57:38 UTC 2018



From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Thursday, March 1, 2018 10:41 AM
To: LeaderTelecom B.V. <info at leadertelecom.nl>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Phillip <philliph at comodo.com>
Subject: Re: [cabfpub] [Ticket#2018022801003595] How do you handle mass revocation requests?


On Thu, Mar 1, 2018 at 10:34 AM, LeaderTelecom B.V. via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:

Dear Phillip,

> I don’t understand the reasoning.
> If a cert is bad, it is bad and we need to revoke it. Period, end of story.

I afraid cases when it can affect clients. For example, reseller revoked certificate without permission of client. In this case, client do not have any new certificate and old one. May be they revoked bad certificates, but bulk revocation looks strange. 

Another case: Reseller was hacked and someone revoked all certificates of reseller. Limitations for resellers can protect end users.


Resellers don't have the ability to revoke certificates if they're not the Subscriber (and have not compromised the Subscriber).


Resellers also should not save private keys of clients.


Yes, this is obvious - and no CA should work with a reseller that does do this, especially without consent.


Obvious but asked for repeatedly by folk who do not understand why it is a terrible idea.


There are a few use cases where I can see bulk revocation by a reseller being necessary. One would be the case in which the reseller discovers that a particular IP address, credit card or other common data object is involved in issue of a group of certs. If they issue 1000 certs and ten are used for phishing ten minutes later, delete the lot.


The other case would be where the reseller is issuing certs for a device they make themselves. A cable box, file server or the like. And they discover that they have mucked up the random number generator so they are all bad certs. That has happened multiple times.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180301/d7e7379d/attachment-0003.html>

More information about the Public mailing list