[cabfpub] 9.6.3 and Private Key use
Ben Wilson
ben.wilson at digicert.com
Mon Jun 20 18:28:25 UTC 2016
What about this?
Reporting and Revocation: An obligation and warranty to: (a) promptly cease using a Certificate and its associated Private Key if there is any actual or suspected misuse or compromise of the Subscriber’s Private Key associated with the Public Key included in the Certificate; and (b) to promptly request the CA to revoke the Certificate, in the event of (a), or if any information in the Certificate is, or becomes, incorrect or inaccurate.
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Josh Aas
Sent: Monday, June 20, 2016 12:08 PM
To: CABFPub <public at cabforum.org>
Subject: [cabfpub] 9.6.3 and Private Key use
BR Section 9.6.3 point 5 says:
"Reporting and Revocation: An obligation and warranty to promptly cease using a Certificate and its associated Private Key, and promptly request the CA to revoke the Certificate, in the event that: (a) any information in the Certificate is, or becomes, incorrect or inaccurate, or (b) there is any actual or suspected misuse or compromise of the Subscriber’s Private Key associated with the Public Key included in the Certificate;"
There is a problem here, which is that this requires a subscriber to stop using a private key just because information in a certificate is inaccurate or incorrect. People should stop using a cert with inaccurate or incorrect information, but they shouldn't be required to stop using a key pair unless there is known or suspected compromise.
This is particularly problematic for HPKP.
I'd like to see this get fixed. Thoughts?
--
Josh Aas
Executive Director
Internet Security Research Group
Let's Encrypt: A Free, Automated, and Open CA _______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160620/704db460/attachment-0001.p7s>
More information about the Public
mailing list