On 5/22/14, 1:18 PM, Kurt Roeckx wrote:
On Thu, May 22, 2014 at 02:57:26PM -0500, Steve Roylance wrote:
Hi Kathleen,
The policy group responsible for control of our certificates and keys have a
question for you concerning the disclosure requirements.
We have a number of CAs in 'CRL/OCSP only' mode where certificate issuance
has been programmatically suspended. In many cases the Subordinate CAs and
their associated keys will be decommissioned - once all certificates chained
to them have expired. It is also the same for some of the Subordinate CAs
where keys are held by our customers. Whilst many have successfully
transitioned to Technical Constraints this have been through a parallel/new
CA and therefore the old CA again remains in CRL only mode until all
certificates have expired.
If keys of a non-constrained CA our held by a customer, I think
there is no way for you to "programmatically suspend" that CA, and
so would expect that to be disclosed.
Kurt
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates
"All certificates that are capable of being used to issue new
certificates must comply with version 2.1 or later of Mozilla's CA
Certificate Inclusion Policy for new certificate issuance by May 15, 2014."
I think the key is "new certificate issuance". Meaning that new
certificate issuance is happening within a CA hierarchy in which the
subCA certs are either technically constrained or disclosed/audited.
I think it is reasonable for CAs to maintain the CRL/OCSP of the old
hierarchies that they are decommissioning, without having to publicly
disclose them.
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
