Yes - please share the details with me as I am very surprised to hear that. I know the DigiCert agreements I've seen don't permit revocation because of termination so whoever (if anyone) is saying that is contradicting the actual agreement. Threatening revocation because of termination or revoking upon termination also violates our internal policies - certs issued are good for the duration of the cert, even if the console agreement terminates.
Since I'm sure we haven't actually revoked because of termination, please send me the details of the threats and I'll take care of them. -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Nick France via dev-security-policy Sent: Tuesday, March 17, 2020 11:27 AM To: Mozilla <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Terms and Conditions that use technical measures to make it difficult to change CAs On Monday, March 16, 2020 at 9:06:33 PM UTC, Tim Hollebeek wrote: > Hello, > > > > I'd like to start a discussion about some practices among other > commercial CAs that have recently come to my attention, which I > personally find disturbing. While it's perfectly appropriate to have > Terms and Conditions associated with digital certificates, in some > circumstances, those Terms and Conditions seem explicitly designed to > prevent or hinder customers who wish to switch to a different > certificate authority. Some of the most disturbing practices include > the revocation of existing certificates if a customer does not renew > an agreement, which can really hinder a smooth transition to a new > provider of digital certificates, especially since the customer may > not have anticipated the potential impact of such a clause when they > first signed the agreement. I'm particularly concerned about this > behavior because it seems to be an abuse of the revocation system, and > imposes costs on everyone who is trying to generate accurate and efficient > lists of revoked certificates (e.g. Firefox). > > > > I'm wondering what the Mozilla community thinks about such practices. > > > > -Tim Tim, Completely agree on your statement that it's a disturbing practice. We've sadly come across it several times in the past 12-18 months, leading to problems for the customer and of course lost business for us as they inevitably decide to remain with the incumbent CA when faced with a hard deadline for certificate revocation - regardless of the natural expiry dates. Your points about the impact and costs to the wider ecosystem ring true, as well. Revocation should not be used to punish those wishing to migrate CAs. We certainly don't do it. More troubling is that each time it's either been mentioned early in discussions or has caused a business discussion to cease at a late stage - it's been DigiCert that was the current CA and they/you participated in this practice of threatening revocation of certificates well before expiry due to contract termination. I have at least 5 major global enterprises that this has happened to recently. Am happy to share more details privately if you wish to discuss. Nick _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
