On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi wrote: > On Thu, Mar 19, 2020 at 1:02 AM Matt Palmer via dev-security-policy < > [email protected]> wrote: > > 2. If there are not explicit prohibitions already in place, *should* there > > be? If so, should it be a BR thing, or a Policy thing? > > https://github.com/cabforum/documents/issues/171 is filed to explicitly > track this. That said, I worry the same set of negligent and irresponsible > CAs will try to advocate for more CA discretion when revocation, such as > allowing the CA to avoid revoking when they’ve mislead the community as to > what they do (CP/CPS violations) or demonstrated gross incompetence (such > as easily detected spelling issues in jurisdiction information). > > I would hope no CA would be so irresponsible as to try to bring that up > during such a discussion.
I shall fire up the popcorn maker in preparation. > > 3. Can a CA be deemed to have "obtained evidence" of key compromise prior > > to the issuance of a certificate, via a previously-submitted key > > compromise problem report for the same private key? If so, it would > > seem that, even if the issuance of the certificate is OK, it is a > > failure-to-revoke incident if the cert doesn't get revoked within 24 > > hours... > > Correct, that was indeed the previous conclusion around this. The CA can > issue, but then are obligated to revoke within 24 hours. Excellent, thanks for that confirmation. Incident report inbound. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
