On 2020-03-19 07:02, Matt Palmer wrote:
2. If there are not explicit prohibitions already in place, *should* there be? If so, should it be a BR thing, or a Policy thing?
I think there should be. I expect them to publish a CRL that says the reason for revocation is a key compromise. I expect them to check for other keys with the same public key at that time, and also revoke them. Before signing a new key, I expect them to have checked it against there list of previously reported key compromises.
Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy