After skimming the responses and checking a few CAs, I'm starting to wonder: Wouldn't it be easier to just add another mandatory field to the CCADB (e.g. "revocation contact"), requiring $URL or $EMAIL via policy and just use that to provide a public list?
It seems to me that most revocation related procedures are very specific to CA-customers (e.g. log in and use the revoke button) and often not even TLS related (e.g. send a document signed with key you want to revoke, use the revocation password you got when creating the email cert, ...). I think it's not your intention for the wiki page to capture that, or is it? >From what I can see, for non-customers the "instructions" - if there are any - >really seem to amount to: A) Send email with cert info + reason you suspect >misuse, we'll check or B) use web form to do the same. IMHO, a wiki page with manually copied info has a good chance to get stale as CAs change their documents, websites, primary domains, etc. (That being said, trying to use CPS urls from the CCADB [0] I got some 404s and some 30* lead nowhere as well. Also some CAs link an outdated version when the website has a WAY more recent one, though that might be because of the English vs native lang situation. Point is, CCADB entries might also be outdated, but at least that will be a policy violation now, right?). [0] https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
