subscriber certificate agility KYC for CAs

[Mike Shaver]

I wanted to elaborate on a piece of my last message, specifically around issuance of certificates for uses that are not compatible with the misissuance revocation requirements specified in the BRs.

We very commonly see that delayed revocation incidents are rationalized by CAs as being required due to the impact of disruption of services that would result from compliant revocation. Many different types of service are cited as being in this "too big to revoke" category, ranging from banks to airlines to post offices to government portals. This is sometimes described as being "disruptive to the web ecosystem".

One thing that could be done to reduce this is to explicitly call out certain uses that should not rely on certificates issued under the authority of the BRs. There are already some prohibitions on use of such certificates for life-critical systems, nuclear reactor control, etc.--the same as commonly found in software licenses.

Rather than try to litigate and maintain a list of usage descriptors, I propose instead letting CAs determine the suitability of WebPKI use.

Specifically, the BRs could be amended to indicate that it is misissuance to issue a certificate to a subscriber that runs a service that cannot endure revocation and can't replace certificates in 24 hours in "emergency, overtime, disrupt other stuff" mode, or 5 days in "business as usual mode". This would mean that even an otherwise perfectly-valid certificate would be considered to be misissued if it is somehow discovered that a subscriber operates a socially-critical system that cannot tolerate compliant revocation, and the CA would then no longer be able to renew or otherwise issue to that subscriber for that service until they became confident that the subscriber was now "revocation-tolerant". Maybe.

I'm not totally satisfied with how I'm thinking about this yet, but I think the kernel of the idea is sound on both core points:

- critical systems that cannot tolerate BR-compliant revocation should not be issued certificates that are subject to the BRs

- the CAs should be responsible for ensuring that they are not issuing certificates for inappropriate uses

This would build on whatever work CAs are currently doing to ensure that customers are aware that WebPKI certificates are not suitable for use in medical devices or reactor control systems, I assume.

Mike