aiaiaiaiaiai
an hour ago
Why doesn't the browser treat local loopback as secure network communication? Would save all the nonsense. Cant get more secure than not sending data over the network!
Ask HN: Why would a CA revoke a cert with a public private key?
2 pointsposted 13 hours ago
by JakaJancarItem id: 41642226
6 Comments
leftbehind
13 hours ago
IIRC, if you have a private key you can be able to force a revocation regardless of what the owner wants. In some such as Let's Encrypt it is fully automated.
If this is a repo private, you should be realize it with a private CA that you import or is on every corp machine.
Baseline Requirements force a revocation within x hours on key disclosure.
JakaJancar
13 hours ago
HN comes through in 10 min :)
I didn't know about CA/Browser forum and the Baseline Requirements. Thanks, will check it out!
// Edit: Relevant section:
The Subscriber Agreement or Terms of Use MUST contain provisions imposing on the Applicant [..] the following obligations and warranties:
[...]
Protection of Private Key: An obligation and warranty by the Applicant to take all reasonable measures to assure control of, keep confidential, and properly protect at all times the Private Key [...]
leftbehind
12 hours ago
:)
> Looking at digicert[1], if a revocation request is submitted, the owner must approve it. What happens if I just don't approve it?
So in this case, this is the happy-case where you as the owner wish to simply realize the cancellation a cert that you are no longer using.
A different workflow applies, such that you have the private key you instead send a POST to 'https://problemreport.digicert.com/api/keys/compromised' with the private key in the JSON body and it will be queued. It is mandatory Baseline Requirements wise to cancel the certificate within 24 hours in the compromised case - usually instant if the pk matches cert - with the expectation that of course the owner will not go this route.
JakaJancar
7 hours ago
Makes sense, thanks!
akerl_
13 hours ago
This is the kind of message board logic that doesn’t actually work in the real world.
The CA has to answer to the CAB if they want to stay in browser trust stores, and quite clearly a private key that’s posted publicly has been disclosed.