> If Microsoft, it its sole discretion, identifies a DV Server Authentication certificate is being used to promote malware or unwanted software, Microsoft will contact the responsible CA and request that it revoke the certificate. The CA must either revoke the certificate within a commercially-reasonable timeframe, or it must request an exception from Microsoft within two (2) business days of receiving Microsoft’s request. Microsoft may either grant or deny the exception at its sole discretion. In the event that Microsoft does not grant the exception, the CA must revoke the certificate within a commercially-reasonable timeframe not to exceed two (2) business days.
This is absolutely insane, and Microsoft really has no position to make these demands. Does McDonalds have the right to get your drivers licensed revoked?
(Even if you say... use the drive thru to steal mcnuggets?)
I'd be curious what would happen if the "too big to fail" issuers pushed back against this.
Microsoft's only option is to completely drop the root cert, right? So there's no real non-nuclear option...
In the broader sense, this is one downside of the shift towards Lets Encrypt and CAs being more interchangable: increased power of the root stores relative to them.
> Microsoft's only option is to completely drop the root cert, right? So there's no real non-nuclear option...
In small-scale disputes MS (and other browser vendors) would not have to nuke an entire large CA to get their way. In principle they could just blacklist the individual certs/names, leaving the CA's other certs alone.
That ability/implied threat probably does mean that the CAs tend to comply with MS piracy/copyright-related revocation requests, because refusing to comply would piss off MS (and possibly law enforcement) without actually stopping them from getting their way by other means.
Yes, in the extreme case, Microsoft would be able to issue an urgent security update whose only purpose was to remove this CA from the Schannel trust store. The effect would be that IE, Edge, Chrome and most other SSL/TLS applications on Windows ceased to trust those certs. That's obviously really drastic, but they could certainly do it. (Firefox and various Free things wouldn't be affected because even on Windows they don't use Microsoft's trust store)
> If Microsoft, it its sole discretion, identifies a DV Server Authentication certificate is being used to promote malware or unwanted software, Microsoft will contact the responsible CA and request that it revoke the certificate. The CA must either revoke the certificate within a commercially-reasonable timeframe, or it must request an exception from Microsoft within two (2) business days of receiving Microsoft’s request. Microsoft may either grant or deny the exception at its sole discretion. In the event that Microsoft does not grant the exception, the CA must revoke the certificate within a commercially-reasonable timeframe not to exceed two (2) business days.