On Thu, Apr 16, 2020 at 4:09 PM Tim Hollebeek
wrote:
> On the other hand, for example in Shanghai, some
> have argued that there is nothing wrong with a CPS that does not disclose
> anything
> about how CAs implement any of the policy requirements.
Understandably, it's a spectrum. For these
Generally, I'm in favor of transparency requirements, and many of Ryan's ideas
would be useful or interesting to pursue. Transparency is often the first and
best
step towards improving business practices. And the entire purpose of a CPS is
to
disclose the business practices that implement a
On Tue, Apr 14, 2020 at 8:13 PM Robin Alden wrote:
> I am ambivalent to the idea of having a list of business practices,
> presumably over and above those required in law, that CAs must publish to
> the community.
I know it was more an aside, but I’m not sure I follow what you mean by
“over an
> .. There’s plenty of precedent in having Root Policy or the
> Baseline Requirements require a CP/CPS explicitly state something;
> examples such as the CAA domain name, the problem reporting mechanism
> and contact address, and compliance to the latest version of the BRs.
>
> If we apply that
On Mon, Mar 16, 2020 at 5:06 PM Tim Hollebeek via dev-security-policy
wrote:
>
>
>
> Hello,
>
>
>
> I'd like to start a discussion about some practices among other commercial
> CAs that have recently come to my attention, which I personally find
> disturbing. While it's perfectly appropriate to
This is an abusive practice that tends to injure the operation of the
internet, particularly by encouraging victims to operate sites without
authentication and encryption in the interregnum between revocation and
the acquisition of a new cert. It also needlessly raises the cost to
operate a
Yes - please share the details with me as I am very surprised to hear that. I
know the DigiCert agreements I've seen don't permit revocation because of
termination so whoever (if anyone) is saying that is contradicting the actual
agreement. Threatening revocation because of termination or
On Monday, March 16, 2020 at 9:06:33 PM UTC, Tim Hollebeek wrote:
> Hello,
>
>
>
> I'd like to start a discussion about some practices among other commercial
> CAs that have recently come to my attention, which I personally find
> disturbing. While it's perfectly appropriate to have Terms and
A customer should able have the choice to change their CA provider without
threats of revocation by the CA. It’s definitely an abuse of the revocation
function.
I do understand terms and conditions are in normal circumstances legally
binding once signed by a customer but this practice is abuse of
On Mon, Mar 16, 2020 at 09:06:17PM +, Tim Hollebeek via dev-security-policy
wrote:
> I'd like to start a discussion about some practices among other commercial
> CAs that have recently come to my attention, which I personally find
> disturbing. While it's perfectly appropriate to have Terms
Hello,
I'd like to start a discussion about some practices among other commercial
CAs that have recently come to my attention, which I personally find
disturbing. While it's perfectly appropriate to have Terms and Conditions
associated with digital certificates, in some circumstances,
11 matches
Mail list logo
