On 16/05/17 02:26, userwithuid wrote:
> After skimming the responses and checking a few CAs, I'm starting to
> wonder: Wouldn't it be easier to just add another mandatory field to
> the CCADB (e..g. "revocation contact"), requiring $URL or $EMAIL via
> policy and just use that to provide a public list?
Well, such contacts are normally per CA rather than per root. I guess we
could add it on the CA's entry.
> It seems to me that most revocation related procedures are very
> specific to CA-customers (e.g. log in and use the revoke button) and
> often not even TLS related (e.g. send a document signed with key you
> want to revoke, use the revocation password you got when creating the
> email cert, ...). I think it's not your intention for the wiki page
> to capture that, or is it?
Well, I want to make sure that people who want to report e.g. a bad cert
found in the wild know where to go. This was triggered by an event where
Microsoft wanted to report something to GoDaddy (IIRC) but using the
wrong contact.
> IMHO, a wiki page with manually copied info has a good chance to get
> stale as CAs change their documents, websites, primary domains, etc.
It's true, but the other option is "dig in my CP/CPS".
Also, I had hoped that the question itself would remind CAs that this
information needed to be there, and prompt any for which it wasn't there
to fix it :-)
Gerv