On Sat, Nov 14, 2020 at 09:42:48PM +0000, Nick Lamb via dev-security-policy wrote: > This boilerplate does not actually achieve any of those things, and > you've offered no evidence that it could do so. If anything it > encourages CAs *not* to actually offer what we wanted: a clearly > documented but secure way to submit acceptable proof of key compromise. > Why not? It will be easier to write only "Any method at our discretion" > to fulfil this requirement and nothing more, boilerplate which > apparently makes you happy but doesn't help the ecosystem.
Whilst it wouldn't make me *happy* to see such boilerplate, it would at least serve to make it clear which CAs were just painting by numbers, as opposed to those which understand their own operations and are willing to meaningfully document them. It would also serve as a suitable jumping-off point for a discussion amongst trust stores (well, Mozilla at least) when a key compromise revocation request is rejected by a CA as to how good, bad, or otherwise a CA's discretion is. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
