[cabfpub] Draft Ballot 186 - Limiting the Reuse of Validation Information
Ryan Sleevi
sleevi at google.com
Wed Feb 1 18:47:08 UTC 2017
On Wed, Feb 1, 2017 at 2:13 AM, Gervase Markham via Public <
public at cabforum.org> wrote:
> On 01/02/17 10:05, Stephen Davidson via Public wrote:
> > I agree with Peter's point: a revocation should not automatically
> > require a re-vetting of Org or Domain details as most revocations occur
> > from "good housekeeping" with keys rather than a failure of underlying
> > vetting.
>
> I see the problem there. Would it work to narrow that particular bullet
> to certain revocation reasons (perhaps by reference to the list of
> revocation reasons elsewhere in the BRs)?
>
I'd actually like to approach it as a whitelist, rather than the implied
blacklist.
That is, what are specific reasons for revocation that don't invalidate
domain registration data? Obviously, key rotation is one.
I'm more hesitant to suggest "Subject Information hasn't changed" is a
valid reason. On the one hand, it truly makes sense if the revocation was,
say, for cessationOfOperation, but I don't think we'd want a certificate
that was revoked in response to a "Certificate Problem Report" being
reissued *with the exact same details* without going through some form of
validation.
So I encourage CAs to list reasons that they might revoke a certificate,
beyond keyCompromise, but which we (the relying parties and browsers) can
be reasonably assured that the CA does not need to revalidate domain
information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170201/48182060/attachment-0003.html>
More information about the Public
mailing list