Certificate suspension is permitted for client certs but not SSL. See https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/j4pS8H8P5Go/-PJRIoKgf04J
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] On Behalf Of Przemyslaw Rawa Sent: Friday, September 26, 2014 7:31 AM To: dev-security-policy@lists.mozilla.org Subject: KIR S.A. Root Inclusion Request Answer for suspension and OCSP issues (Robin Alden and Jeremy Rowley): RFC 5280 allows suspension. In our opinion, suspension is a usefull tool for PKI. If you get an information that something goes wrong with the certificate, but you need time to confirm it. In such situation we suspend certificate and start to verify the information at once. If the information was true, we revoke certificate, but if it was a fake we turn the certificate into valid status. Of course you can say that we should revoke certificate at once, but what if the information we get from user wasn't true? SSL server will be seen as untrusted. What if the information is true, but we spent one hour to confirm this. During this one hour user trust the server but he shouldn't. What's more RFC 2560 also mentions about suspension (s 2.2): The "good" state indicates a positive response to the status inquiry. At a minimum, this positive response indicates that the certificate is not revoked, but does not necessarily mean that the certificate was ever issued or that the time at which the response was produced is within the certificate's validity interval. Response extensions may be used to convey additional information on assertions made by the responder regarding the status of the certificate such as positive statement about issuance, validity, etc. The "revoked" state indicates that the certificate has been revoked (either permanently or temporarily (on hold)). The "unknown" state indicates that the responder doesn't know about the certificate being requested. After changing suspended certificate status to valid, information about such certificate is removed from CRL, so the OCSP answer after unsuspension will be 'valid". It looks that BR goes further than RFC. Preparing to Mozilla Root Inclusion Program we looked at others CA, which certificates are included as trusted by Mozilla. Please note that there are CAs on Mozilla trusted list which have suspension and unsuspension services, e.g.: http://certum.pl/servlet/pl.id.sys.servlets.FileDownloadServlet?filename=/upload_module/downloads/dokuments/CCK-DK02-ZK02_CPS_v3_8.pdf , http://cybertrust.omniroot.com/repository/Cybertrust_CPS_v_5_6.pdf, https://www.buypass.com/support/download-center/_attachment/27671?_ts=1439fc82a60 Unizeto 4.9.15. Certification Authority certificate suspension requires formal request of the Security Inspector, confirmed by Chief of CERTUM. The procedure for suspending a subscriber's certificate is the same as in the case of revocation of the certificate (see .4.9.3.1). Upon successful verification of the suspension request the Cerification Authority changes status of certificate and publishes it on the list of revoked certificates (the reason is certificateHold). Only the CERTUM operator is authorized to unsuspend a certificate. Unsuspension can only be issued if CERTUM has information justifying certificate unsuspension CyberTrust http://cybertrust.omniroot.com/repository/Cybertrust_CPS_v_5_6.pdf Revocation and suspension requests can also be placed directly to the Cybertrust RA at the correspondence address listed at the beginning of this CPS or at evserviced...@verizonbusiness.com. Upon request from an RA, the Cybertrust CA revokes a digital certificate if: · There has been loss, theft, modification, unauthorized disclosure, or other compromise of the private key of the certificate’s subject. · The certificate’s subject or their appointed subscriber has breached a material obligation under this CPS. · The performance of a person’s obligations under this CPS is delayed or prevented by a natural disaster, computer or communications failure, or other cause beyond the person's reasonable control, and as a result, another person’s information is materially threatened or compromised. · There has been a modification of the information contained in the certificate of the certificate’s subject. The Cybertrust RA requests the revocation of a certificate promptly upon verifying the identity of the requesting party. Verification of the identity can be done through information elements featured in the identification data that the subscriber has submitted to the Cybertrust RA. Upon request by a Cybertrust RA, the Cybertrust CA takes prompt action to revoke the certificate. Cybertrust does not provide suspension services directly to subscribers. Cybertrust is allowed to suspend a certificate for up to 7 calendar days if subscriber does not fulfil its obligations including financial compensation. Subscriber will be informed of a suspension and its reasons. For SureServer EV certificates, revocation shall be mandatory when the Cybertrust CA determines, in its sole discretion that the certificate was not issued in accordance with the terms and conditions of the EV guidelines. 4.8.1 Term and Termination of Suspension and Revocation Suspension may last for a maximum of seven calendar days to establish the conditions that caused the request of suspension. The Cybertrust CA publishes notices of suspended or revoked certificates in the Cybertrust CA repository. The Cybertrust CA may publish its suspended or revoked certificates in its CRL and additionally, by any other means as it sees fit. BUYPASS 4.4.5 Circumstances for suspension a) If an RA is not able to process a Certificate revocation request in due time (see 4.4 b), the Certificate SHALL be suspended until the revocation request has been properly processed. b) If a Certificate has been suspended as a result of a), the Certificate SHALL either be revoked or unsuspended once the revocation request has been properly processed. 4.4.8 Limits on suspension period a) A Certificate that has been suspended SHALL be revoked or unsuspended at the latest 30 days after the Certificate was suspended. For a suspended Certificate, the original Certificate revocation request is processed in due time to ensure that the Certificate is either revoked or unsuspended at the latest 30 days after the Certificate was suspended. 7. The OCSP profile SHALL conform to the specifications contained in RFC 2560 [16]. Regards Przemyslaw Rawa Krajowa Izba Rozliczeniowa S.A., ul. rtm. W. Pileckiego 65, 02-781 Warszawa, zarejestrowana w Sądzie Rejonowym dla m. st. Warszawy, XIII Wydział Gospodarczy Krajowego Rejestru Sądowego pod nr KRS 0000113064, NIP 526-030-05-17, REGON 012105474, kapitał zakładowy i wpłacony 5.445.000 zł. Informacja zawarta w tej transmisji jest przeznaczona tylko dla osoby lub jednostki, do której jest adresowana. Może ona zawierać zastrzeżone i poufne informacje i jeżeli to nie Państwo są wskazanym odbiorcą, nie można kopiować, rozpowszechniać lub podejmować żadnych czynności w oparciu o nią. W przypadku otrzymania tej transmisji przez pomyłkę, proszę powiadomić nadawcę za pomocą emaila zwrotnego i usunąć tę transmisję (wraz z załącznikami) z Państwa systemu. The information contained in this transmission is intended only for the individual or entity to whom it is addressed. It may contain privileged and confidential information and if you are not an indicated recipient, you must not copy, distribute or take any action in reliance on it. If received in error, please notify the sender by return email and delete his transmission (and any attachments) from your system. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
