[cabfpub] [Ext] How do you handle mass revocation requests?

Phillip philliph at comodo.com
Fri Mar 2 15:46:08 UTC 2018 

I have proposed this as an AOB topic for LAMPS.

On the wider problem, please remember I do not work for ComodoCA and have no more information on this than anyone else. I do find some aspects of the situation troubling though not necessarily the ones others are finding troubling.

That a reseller had access to so many private keys was a shock until I realized that this is probably a feature of someone's management package used by hosting companies, 'click here to export all private keys in a file'. One of the reasons security architects are not necessarily the best crackers is that we stay safe by not creating utterly terrible shoot-me-in-the-foot features.

There are measures that we could implement that would allow Web Site hosting companies the management features they need without leaving a loaded gun.


The other issue that concerns me is the naming of a third party in a security incident report. Was the counterparty notified? Was their permission to be named obtained? Was a responsible disclosure policy followed?

Now we have the press discussing the issue and not necessarily on the basis of the full facts.


-----Original Message-----
From: Paul Hoffman [mailto:paul.hoffman at icann.org] 
Sent: Friday, March 2, 2018 10:14 AM
To: philliph at comodo.com; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [Ext] [cabfpub] How do you handle mass revocation requests?

On Mar 2, 2018, at 6:04 AM, philliph--- via Public <public at cabforum.org> wrote:
> 
> Going back to the original question.
> 
> We have a format for a certificate request (well a few actually). Do we have a PKIX feature that can be used to allow a key holder to request revocation? I can’t think of a PKIX standard for one

I'm 99% sure that Phill is correct here. We discussed "suicide notes" in PKIX a few times over the decades, and I believe we never came to any conclusion. If such a format has been standardized, I can't find it easily by searching.

> and it does appear to be a missing feature.

In a world where you might have bought a certificate from a CA or, in particular, a reseller with whom you might no longer be able to communicate (such as if they go out of business), being able to create a signed request with proof-of-possesion of the private key would be a valuable feature for the Web PKI.

--Paul Hoffman

More information about the Public mailing list