Questions re: Upcoming changes to revocation reasons

It probably goes something like:
A issues cert for sites 1,2,3,...,10
B revokes that cert [with authority only over site 5]
A finds cert revoked and issued a new cert.
B revokes that one too
over and over (and over) - until they can't issue any more certs [DoSed]


That's really it. It can repeat indefinitely as you suggest (at least within the cached validation time), but it doesn't need to.

The situations where this is likely to happen are:

  • A platform or service bundles multiple client domains on a single certificate (CloudFlare used to do this; many webhosts and PAAS/SAAS still do). One of their clients are able to prove ownership of one domain on a certificate, and then try to revoke the platform/service's shared certificate.
  • A large organization (corporation, university, etc) has a centralized certificate or IT management, but also allows departments to procure their own certificates. A department tries to revoke the shared certificates they appear on.
  • A first owner of multiple domains sells a domain; the new second owner of the transferred domain tries to revoke the seller's shared certificate.

I've heard of several other likely scenarios, but I think these three were the most likely.


Yep, that's one avenue. An even simpler avenue is:

  1. Bring your own domain to a hosting provider that bundles ~100 names into every cert they get.
  2. Take that domain elsewhere, and get your own cert for it.
  3. Ask that we revoke the original cert (based on the fact that you control one name on it), thus breaking HTTPS for 99 unrelated sites until the original hosting provider renews the cert.

edit: Hah, jvanasco beat me to it.


The revocations reason changes are now live in production.