On 2020-11-12 8:38 μ.μ., Ben Wilson wrote:
On Thu, Nov 12, 2020 at 2:57 AM Dimitris Zacharopoulos
<ji...@it.auth.gr <mailto:ji...@it.auth.gr>> wrote:
I believe this information should be the "minimum" accepted
methods of
proving that a Private Key is compromised. We should allow CAs to
accept
other methods without the need to first update their CP/CPS. Do
people
think that the currently proposed language would forbid a CA from
accepting methods that are not explicitly documented in the CP/CPS?
I also think that "parties" is a bit ambiguous, so I would suggest
modifying that to follow the language of the BRs section 4.9.2
"Subscribers, Relying Parties, Application Software Suppliers, and
other
third parties". Here is my proposed change:
"Section 4.9.12 of a CA's CP/CPS MUST clearly specify the methods
(at a
minimum) that Subscribers, Relying Parties, Application Software
Suppliers, and other third parties may use to demonstrate private key
compromise."
Dimitris,
Instead, what about something like, "Section 4.9.12 of a CA's CP/CPS
MUST clearly specify its accepted methods that Subscribers, Relying
Parties, Application Software Suppliers, and other third parties may
use to demonstrate private key compromise. A CA MAY allow additional,
alternative methods that do not appear in section 4.9.12 of its CP/CPS." ?
Ben
That works better. Thank you.
Dimitris.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
