On 02/05/2009 04:13 PM, Frank Hecker:
I agree. I think this is a case where it definitely makes sense to have
this be a requirement. I also think the case of revocation on key
compromise is relatively clear, and I don't anticipate any major
problems finding policy language to deal with it.
Terrific!
However I'd also like us to consider including a requirement that CAs
revoke certificates when it's clear that validation of subscribers was
not done or was done wrong, like in the Comodo/CertStar problem or your
StartCom bug. I don't quite know right now exactly how to word such a
requirement properly, and I'd like to "beta-test" some language and see
how it compares to what CAs are claiming in CPSs.
Again from the StartCom CPS (ignoring any ambiguity):
● The subscriber’s private key is lost or suspected to be compromised
● The information in the subscriber’s certificate is suspected to be
inaccurate
Both of the above covers pretty much every possible circumstances for
what we care (Payments and other issues aren't something we care about,
right?).
Also note the choice of "suspected". In case of the weak keys this makes
it clear.
I think it is certainly reasonable to update the policy on an annual
basis, and I think that should be our minimum target.
I think it should be not more than every half year. Perhaps we can agree
on two dates when Mozilla would update the policy. Then every concerned
part y can check if and of what nature there was an update.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
