On Wed, Jun 22, 2016 at 3:31 PM, Peter Bowen <pzbo...@gmail.com> wrote:
> On Wed, Jun 22, 2016 at 11:19 AM, Ryan Sleevi <r...@sleevi.com> wrote: > > On Wed, Jun 22, 2016 at 8:21 AM, Ben Wilson <ben.wil...@digicert.com> > wrote: > >> It seems to me that requiring the registration of these subordinate CAs > bloats the Salesforce database unnecessarily. > > > > We've historically been at a chronic lack of data, rather than a > > chronic glut. I think we should definitely err on the side of too much > > - which would be a wonderful problem to have. > > > > As Eric (Mill) mentioned, revocation in practice is a complex and > > tricky thing. Having the data disclosed enables better tooling and > > better informs how best to handle revocation in practice. It also > > helps provide data for future bugs and incidents, by better informing > > scope of impact. > > It might not be possible to get the data for subordinates under a > revoked certificate, as the CA may have terminated their relationship > with the organization they cross-signed. It could even be that the > reason for the revocation was that the former sub failed to produce an > audit back when the rule that subs needed audits was phased in. What > to do in this case? > Perhaps we could err on the side of disclosing subordinates under a revoked certificate, with exceptions allowed for these cases. --Richard > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy