On 6/3/14, 1:52 AM, Rob Stradling wrote:
On 03/06/14 01:42, Kathleen Wilson wrote:
On 5/28/14, 5:17 PM, Kathleen Wilson wrote:
<snip>
I could create another spreadsheet for SubCAs that are in CRL/OCSP mode,
and it could have columns for
Name of SubCA (optional)
SubCA Cert's Issuer Hash
SubCA Cert's Issuer Public Key Hash
SubCA Cert Issuer Serial Number
Date of last cert issuance
Date of last cert expiration
<snip>
I also added:
<snip>
- For each subordinate CA certificate that is being phased out and
is in 'CRL/OCSP only' mode, please provide the following information:
Name of SubCA (optional), SubCA Cert Hash (SHA1),
Kathleen, you didn't previously mandate any particular hash algorithm.
Our disclosure page shows the SHA-256 hash of each Sub-CA certificate.
Is that acceptable, or do you want us to show the SHA-1 hash of each
Sub-CA certificate instead?
SubCA Cert Key Id Hash (SHA1), SubCA Cert Subject Key Identifier,
These will be identical in the common case that the Subject Key
Identifier is generated using the method described in RFC5280 Section
4.2.1.2(1)...
"The keyIdentifier is composed of the 160-bit SHA-1 hash of the
value of the BIT STRING subjectPublicKey (excluding the tag,
length, and number of unused bits)."
Or have I misunderstood what you meant by "SubCA Cert Key Id Hash" ?
Thanks.
SubCA Cert Serial Number,
Date of Last Cert Issuance, Date of Last Cert Expiration.
Updated...
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Frequently_Asked_Questions
--
5. The transition of some subordinate CAs to Technical Constraints (as
per #9 of Mozilla's CA Certificate Inclusion Policy) has been
accomplished by creating a new CA hierarchy, so the old subordinate CA
certificate remains in 'CRL/OCSP only' mode until all certificates in
the old hierarchy have expired. Do we need to disclose the old
subordinate CA certificates that are being phased out and are in
'CRL/OCSP only' mode?
--For each subordinate CA certificate that is being phased out and
is in 'CRL/OCSP only' mode, please provide the following information:
Name of SubCA (optional), SubCA Cert Hash (SHA1 or SHA256), SubCA Cert
Subject Key Identifier, SubCA Cert Serial Number, Date of Last Cert
Issuance, Date of Last Cert Expiration.
--
Thanks,
Kathleen
PS: I'm looking into automating CA and subCA data maintenance. My goal
is for CAs to maintain their own data, so I just have to approve
changes. More to come about this later, but if any of you have awesome
ideas about how to do this, please send me an email with your
recommendations.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
