Ian G wrote re revocation on compromise:
I happen to be in that area at the moment as I am reading CAcert against
the criteria, so I will pass on their CPS [2]:
Thanks for this info!
Certificates may be revoked under the following circumstances:
1. As initiated by the Subscriber through her online account.
2. As initiated in an emergency action by a support team member.
Such action will immediately be referred to dispute resolution
for ratification.
3. Under direction from the Arbitrator in a duly ordered
ruling from a filed dispute.
I'm guessing that item 2 would cover a case where CAcert became aware of
a key compromise and for whatever reason the subscriber did not initiate
a revocation request. (I guess a third party could also initiate a
complaint with respect to a compromised key, but for something like the
Debian case I don't see it as necessary, since the facts were known to
all.)
Frank
--
Frank Hecker
hec...@mozillafoundation.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
