Yeah, this has been discussed a bit in the past I think. I recall one person I mentioned it to being concerned that it would be seen as "punitive" by making subscribers do extra work if things didn't work out. I think that's "just" a comms issue, and am generally in favour of it. It would be mechanically complex, especially during the initial phases where it's arguably a competitive advantage to adopt such a practice later than your peers.
I think it's viable, though, and would be interested in a more detailed discussion of what mechanisms or tunables people have in mind. I had a sketch of it somewhere but I think it was a victim of wiping a previous laptop... :( Mike On Fri, Aug 9, 2024 at 1:26 PM 'Tim Hollebeek' via [email protected] <[email protected]> wrote: > > My proposal is that root programs require CAs to accept revocation > reqests > > from the root programs themselves for randomly-chosen certificates. At > > random intervals, a root program sends a (suitably > > authenticated) email to the CA's problem reporting address stating "this > > certificate should be considered compromised as of this moment, revoke in > > line with the BRs". Frequency and volume could be tuned to issuance > > volume, with upper and lower bounds as needed to ensure universal > > coverage without unduly burdening any particular CA with excessive > > administrivia. > > Just wanted to highlight this proposal since it got lost in the later > discussion ... I've had similar thoughts before, and this is an idea worth > exploring. It would provide much more uniform and objective testing of the > ability to rotate certificates, and would allow us to stop pretending that > incidents are effective for that purpose (they aren't). > > -Tim > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/SN7PR14MB649241B91111D9A7A7D0202583BA2%40SN7PR14MB6492.namprd14.prod.outlook.com > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqvEbtrsB0EYf73XmHZXPMVDECEp%3DR7Hf%3DWP3my%2BgBidNA%40mail.gmail.com.
