Bug 1877388 Comment 53 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

As a member of the greater internet-using public who is also working as a security researcher and consultant, I would also like to hear a response from Telekom Security on the following two considerations. These were originally pointed out by Mike Shaver in the GDCA bug discussion, but I agree that they are relevant for other public CAs as well.

https://bugzilla.mozilla.org/show_bug.cgi?id=1889062

From comment 9:
> How will [the CA] ensure that they do not issue certificates to subscribers with critical services, who have not also provided assurances that they can replace certificates within 24 hours or themselves (the subscriber) take responsibility for any service disruption if that does not occur?
> If a service is essential to society and cannot operate successfully within the constraints of the BRs, then it should not be using WebPKI, and CAs should be ensuring that they do not issue WebPKI certificates to such services.

From comment 11:
> Issuing a certificate to a subscriber who did not acknowledge and accept that immediate revocation may occur in the case of BR violation is misissuance. By my understanding of the BRs, and that of a well-informed anonymous expert who I consulted, you should not have issued replacement certificates if the subscriber did not *accept that revocation can happen instantly at any time*.
As a member of the greater internet-using public who is also working as a security researcher and consultant, I would also like to hear a response from Telekom Security on the following two considerations. These were originally pointed out by Mike Shaver in the GDCA bug discussion, but I agree that they are relevant for other public CAs as well.

From comment https://bugzilla.mozilla.org/show_bug.cgi?id=1889062#c9:
> How will [the CA] ensure that they do not issue certificates to subscribers with critical services, who have not also provided assurances that they can replace certificates within 24 hours or themselves (the subscriber) take responsibility for any service disruption if that does not occur?
> If a service is essential to society and cannot operate successfully within the constraints of the BRs, then it should not be using WebPKI, and CAs should be ensuring that they do not issue WebPKI certificates to such services.

From comment https://bugzilla.mozilla.org/show_bug.cgi?id=1889062#c11:
> Issuing a certificate to a subscriber who did not acknowledge and accept that immediate revocation may occur in the case of BR violation is misissuance. By my understanding of the BRs, and that of a well-informed anonymous expert who I consulted, you should not have issued replacement certificates if the subscriber did not *accept that revocation can happen instantly at any time*.

Back to Bug 1877388 Comment 53