The word "misused" in the policy could do with clarifying. The
Maintenance Policy states:
"2. CAs must revoke Certificates that they have issued upon the
occurrence of any of the following events: ... the CA obtains reasonable
evidence that the subscriber’s private key (corresponding to the public
key in the certificate) has been compromised or is suspected of
compromise (e.g. Debian weak keys), or that the certificate has
otherwise been misused;"
Kathleen's proposal is to change:
"or that the certificate has otherwise been misused;"
to
"or that the certificate has been used for a purpose outside of that
indicated in the certificate or in the CA's subscriber agreement;"
We feel it's reasonable for the CA (via its subscriber agreement or via
technical controls in the cert) to define what 'misuse' is.
There was a long previous discussion of this on m.d.s.policy, but no
determination was made.
https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/vMrncPi3tx8/Ab90Yi_rBgAJ
This is:
https://github.com/mozilla/pkipolicy/issues/1
-------
This is a proposed update to Mozilla's root store policy for version
2.4. Please keep discussion in this group rather than on Github. Silence
is consent.
Policy 2.3 (current version):
https://github.com/mozilla/pkipolicy/blob/2.3/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates