On Thu, May 22, 2014 at 02:57:26PM -0500, Steve Roylance wrote: > Hi Kathleen, > > > > The policy group responsible for control of our certificates and keys have a > question for you concerning the disclosure requirements. > > > > We have a number of CAs in 'CRL/OCSP only' mode where certificate issuance > has been programmatically suspended. In many cases the Subordinate CAs and > their associated keys will be decommissioned - once all certificates chained > to them have expired. It is also the same for some of the Subordinate CAs > where keys are held by our customers. Whilst many have successfully > transitioned to Technical Constraints this have been through a parallel/new > CA and therefore the old CA again remains in CRL only mode until all > certificates have expired.
If keys of a non-constrained CA our held by a customer, I think there is no way for you to "programmatically suspend" that CA, and so would expect that to be disclosed. Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
