On Tuesday, August 8, 2017 at 7:03:19 PM UTC-5, Jeremy Rowley wrote: > 24 hours is super short when it's a Saturday morning at 4 am and it’s a > European government entity. I agree that is what the policy says now, but, > for lower risk items, the policy should change, preferably to at least one > business day. >
It is short, but any CA possessing global trust should already have procedures in place for handling revocation in a prompt manner. It seems odd that it would be onerous for them to revoke a non-compliant certificate. The only difference is a need to confirm to the CA's satisfaction that the given certificate is in violation of the BRs, which I would expect any competent CA to be eminently capable of doing. -Paul _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
