> Would a CA be allowed to pre-notify customers whose certs were randomly selected and {pre/re}-issue them replacements?<p>If this is permitted, then I see no problem with this plan. It will force people to do what they already should be doing: have a plan in place to rotate certificates in case of revocation.<p>> The point is that right now revocation is so painful that it’s causing CAs to side with subscriber convenience over the integrity of the web PKI. Sampled, controlled revocations let us identify points of pain before they have security implications, and motivate Subscribers to prepare their systems—whether through automation or not, up to them, I’m not their dad—to tolerate on-time revocation. We care about the likely outcomes of automation, such as tolerance of short revocation or expiry timelines, really, but if BigSlowCo wants to staff a 24-hour cert maintenance squad such that they don’t (successfully) pressure their CA into blowing revocation deadlines, that’s their opex choice. Directly evaluating ecosystem capability around prompt revocation is the only way I can think of to identify areas of danger or weakness before they become issues for the web.<p>This is like testing the fire extinguishers.
That is a pretty breathtaking example of ivory tower thinking if there ever was one. I really just don't know what else I can say about that kind of proposal.
I think Roman Fischer in the thread has it right, 30 certs is a single drop of water the Atlantic. Like there's no wink wink necessary, at that scale it would be flatly <i>irrational</i> to do anything at all to handle being one of these revocations. We're taking about a roughly 0.00001% chance that it's you. Forget some dumb cert revocation logic I would play Russian Roulette with those odds.<p>But on the flip side those 30 unlucky souls are gonna be <i>pissed</i>. There's so many other less disruptive ways you could do this.
Why don’t they revoke the certificate for a special-use domain, like example.com.<p>As opposed to 30-random entities.<p><a href="https://en.m.wikipedia.org/wiki/Special-use_domain_name" rel="nofollow">https://en.m.wikipedia.org/wiki/Special-use_domain_name</a>
I think the garbage CAs that want to delay certificate revocation way beyond requirements are numerous enough that this proposal won't go ahead. Much easier for them to just do nothing and hope they won't be the next Entrust.