Re: Policy: revoke on private key exposure

Wed, 04 Feb 2009 10:13:02 -0800 

On 4/2/09 18:09, Frank Hecker wrote:


Now, with regard to making this a formal policy requirement, I have the
following questions:

1. To what extent do typical CPSs and CPs address this issue? In other
words, if we were to read the average CPS/CP, would it have language
that would unambiguously tell us whether our policy requirement were met
or not? Or is this something that's typically ambiguous and left to CAs'
discretion, or that CAs are prohibited from unilaterally doing under the
terms of their subscriber agreements? (E.g., CA can revoke only at the
subscriber's request.)



To be honest, I do not know what the "typical" CPS would say here [1].
I happen to be in that area at the moment as I am reading CAcert against the criteria, so I will pass on their CPS [2]: 


====================
  4.9.1. Circumstances for revocation

  Certificates may be revoked under the following circumstances:

     1. As initiated by the Subscriber through her online account.
     2. As initiated in an emergency action by a support team member.
     Such action will immediately be referred to dispute resolution
     for ratification.
     3. Under direction from the Arbitrator in a duly ordered
     ruling from a filed dispute.

  These are the only three circumstances under which a revocation
  occurs.
====================



2. Assuming a CA becomes aware of a compromised key and doesn't revoke
it, what courses of action are open to us other than pulling the CA's
root?



According to CAcert's policies on dispute resolution [3]:

=====================
  1.1  Filing Party

  Anyone may file a dispute. In filing, they become Claimants.
=====================

(Anyone is meant broadly, as other text makes clear.)



iang, back to reviewing criteria (yawn!)
[1] This is partly deliberate; over at CAcert I have encouraged the practice of not reading others' documents until they have finished their own.
[2] Their CPS is only "work-in-progress" which means it has no standing. However I can strongly suggest that the above text is reliable for this conversation. 
https://svn.cacert.org/CAcert/policy.htm#p4.9.1
[3] DRP is at http://www.cacert.org/policy/DisputeResolutionPolicy.php and it is solid POLICY status. 
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to