hngopher.com

       [HN Gopher] The Irrevocable SSL Certificates of Cloudflare
       ___________________________________________________________________
        
       The Irrevocable SSL Certificates of Cloudflare
        
       Author : worldofmatthew
       Score  : 15 points
       Date   : 2021-01-20 16:20 UTC (6 hours ago)
        
 (HTM) web link (worldofmatthew.com)
 (TXT) w3m dump (worldofmatthew.com)
        
       | detaro wrote:
       | Refusing to do so reads to me like it could be conflict with the
       | CA/B rules for certificates, but I'm not too familiar with the
       | interpretation of these clauses. Could be an interesting question
       | to post on the CA/B mailing list at least.
       | 
       | referencing _Section 4.9.1.1 Reasons for Revoking a Subscriber
       | Certificate_
       | 
       | If CF sees OP as the subscriber of the certificate,
       | 
       | > _The CA SHALL revoke a Certificate within 24 hours if one or
       | more of the following occurs:
       | 
       | > 1.The Subscriber requests in writing that the CA revoke the
       | Certificate_
       | 
       | If CF considers itself the subscriber (since they are getting the
       | certificate for their servers, this seems more likely):
       | 
       | > _The CA SHOULD revoke a certificate within 24 hours and MUST
       | revoke a Certificate within 5 days if one or more of the
       | following occurs_
       | 
       | > [...]
       | 
       | > _4. The CA is made aware of any circumstance indicating that
       | use of a Fully-Qualified Domain Name or IP address in the
       | Certificate is no longer legally permitted (e.g.a court or
       | arbitrator has revoked a Domain Name Registrant's right to use
       | the Domain Name,_ -- > _a relevant licensing or services
       | agreement between the Domain Name Registrant and the Applicant
       | has terminated,_ <-- _or the Domain Name Registrant has failed to
       | renew the Domain Name);_
        
         | sigio wrote:
         | That last one wouldn't work if you just hosted the domain
         | somewhere else, only if it was actually removed, which kinda
         | defeats the purpose.
        
           | worldofmatthew wrote:
           | > 1.The Subscriber requests in writing that the CA revoke the
           | Certificate
           | 
           | This seems more appropriate.
        
           | detaro wrote:
           | Why is the contract between OP ("Domain Name Registrant") and
           | CF ("Applicant") not a "relevant service agreement" in that
           | case?
        
       ___________________________________________________________________
       (page generated 2021-01-20 23:02 UTC)