Hi Jeremy, On Thu, 5 Jun 2025, Jeremy Rowley wrote:
Although lots of CAs put additional controls on their CA above and beyond the BRs, I would not put those into a CP. Instead, I would offer them as an SLA to the agreement or similar practice. If you violate one of those, the customer gets a credit instead of a revoked cert. The CA still shows that they are doing more than the minimum but they don't risk revocation if a control fails.
Could such additional controls not be put into CP/CPS as a conditional commitment on either fulfilling them or offering the subscriber credit? Such that it would then only be a CP or CPS violation if the control was violated AND the subscriber did not get credited? This would offer transparency to Relying Parties, as well as a commitment to either uphold the controls backed by a mechanism incentivising the CA to follow through? I imagine that might be useful for trust decisions by a Relying Party...
Tobi -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/75325daa-788c-e7f6-13b8-2cf78f76c302%40opera.com.
