On 5/22/14, 3:53 PM, Kathleen Wilson wrote:
On 5/22/14, 1:18 PM, Kurt Roeckx wrote:
On Thu, May 22, 2014 at 02:57:26PM -0500, Steve Roylance wrote:
Hi Kathleen,
The policy group responsible for control of our certificates and keys
have a
question for you concerning the disclosure requirements.
We have a number of CAs in 'CRL/OCSP only' mode where certificate
issuance
has been programmatically suspended. In many cases the Subordinate
CAs and
their associated keys will be decommissioned - once all certificates
chained
to them have expired. It is also the same for some of the
Subordinate CAs
where keys are held by our customers. Whilst many have successfully
transitioned to Technical Constraints this have been through a
parallel/new
CA and therefore the old CA again remains in CRL only mode until all
certificates have expired.
If keys of a non-constrained CA our held by a customer, I think
there is no way for you to "programmatically suspend" that CA, and
so would expect that to be disclosed.
Kurt
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates
"All certificates that are capable of being used to issue new
certificates must comply with version 2.1 or later of Mozilla's CA
Certificate Inclusion Policy for new certificate issuance by May 15, 2014."
I think the key is "new certificate issuance". Meaning that new
certificate issuance is happening within a CA hierarchy in which the
subCA certs are either technically constrained or disclosed/audited.
I think it is reasonable for CAs to maintain the CRL/OCSP of the old
hierarchies that they are decommissioning, without having to publicly
disclose them.
Kathleen
After further consideration, I am now of the opinion that we should
collect some information about subordinate CAs in this mode.
I could create another spreadsheet for SubCAs that are in CRL/OCSP mode,
and it could have columns for
Name of SubCA (optional)
SubCA Cert's Issuer Hash
SubCA Cert's Issuer Public Key Hash
SubCA Cert Issuer Serial Number
Date of last cert issuance
Date of last cert expiration
Does that sound reasonable?
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
