You're right, Matt. Naming things is hard, but accurate naming is worth striving for. I renamed it from Certificate Revocation Request (CRR) to Key Compromise Request (KCR) just before I clicked send. I suppose Certificate Revocation For Key Compromise Request (CRFKCR) would have been a more accurate term; that just rolls off the tongue, doesn't it? 😉 ________________________________ From: dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> on behalf of Matt Palmer <mpal...@hezmatt.org> Sent: 04 February 2022 04:53 To: dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. On Fri, Feb 04, 2022 at 12:20:16AM +0000, Rob Stradling wrote: > 1. Self-sign some sort of "Key Compromise Request" (KCR) that a CA can > unambiguously treat as a declaration of key compromise by a holder of that > key. Ideally a KCR would be a new type of object that can't be parsed as > a CSR (e.g., see > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecure.sectigo.com%2Fproducts%2FRevocationPortalDetails%3Faction%3D2a&data=04%7C01%7Crob%40sectigo.com%7C24b4eaf77d764f68049e08d9e79a4d1a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637795472896984097%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=gIcmpC6VlCDrPKqYtvTt2EsraRWdtBHAe0mhldm8JXU%3D&reserved=0); That's not a Key Compromise Request, because it requires an issued certificate. It's impossible to generate such a Key Compromise Request without an already-issued certificate. > or, as some folks have done, a KCR could be a CSR that contains some sort > of textual indication of intent such as "subject:CN=This CSR is intended > to prove key compromise". Such as https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpwnedkeys%2Fkey-compromise-attestation-rfc&data=04%7C01%7Crob%40sectigo.com%7C24b4eaf77d764f68049e08d9e79a4d1a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637795472896984097%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=9fckTYXhckN9VsJY%2FjORHlXQE9JyRdke9YcZiHBASQg%3D&reserved=0. - Matt -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2F20220204045325.GB11647%2540hezmatt.org&data=04%7C01%7Crob%40sectigo.com%7C24b4eaf77d764f68049e08d9e79a4d1a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637795472896984097%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2F6xK0pn45A2avDaGELy0Hpouki1a4F1odl6ARwAA45s%3D&reserved=0. -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729E8AA409F350BD2B6A414AA299%40MW4PR17MB4729.namprd17.prod.outlook.com.