On Mon, 2 Mar 2020 13:48:55 +1100 Matt Palmer via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> In my specific case, I've been providing a JWS[1] signed by the > compromised private key, and CAs are telling me that they can't (or > won't) work with a JWS, and thus no revocation is going to happen. > Is this a reasonable response? I don't hate JWS, but I can see Ryan's point of view on this. Not every "proof" is easy to definitively assess, and a CA doesn't want to get into the game of doing detailed forensics on (perhaps) random unfounded claims. Maybe it makes sense for Mozilla to provide in its policy (without limiting what else might be accepted) an example method of demonstrating Key Compromise which it considers definitely sufficient ? I'd also be comfortable with such an example in the BRs, if people think that's the right place to do this. Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
