On 16/05/17 02:26, userwithuid wrote: > After skimming the responses and checking a few CAs, I'm starting to > wonder: Wouldn't it be easier to just add another mandatory field to > the CCADB (e..g. "revocation contact"), requiring $URL or $EMAIL via > policy and just use that to provide a public list?
Well, such contacts are normally per CA rather than per root. I guess we could add it on the CA's entry. > It seems to me that most revocation related procedures are very > specific to CA-customers (e.g. log in and use the revoke button) and > often not even TLS related (e.g. send a document signed with key you > want to revoke, use the revocation password you got when creating the > email cert, ...). I think it's not your intention for the wiki page > to capture that, or is it? Well, I want to make sure that people who want to report e.g. a bad cert found in the wild know where to go. This was triggered by an event where Microsoft wanted to report something to GoDaddy (IIRC) but using the wrong contact. > IMHO, a wiki page with manually copied info has a good chance to get > stale as CAs change their documents, websites, primary domains, etc. It's true, but the other option is "dig in my CP/CPS". Also, I had hoped that the question itself would remind CAs that this information needed to be there, and prompt any for which it wasn't there to fix it :-) Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy