On Sun, Oct 16, 2016 at 8:41 AM, Vincent Lynch <vtly...@gmail.com> wrote:
> Looking at the BRs (
> https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf ).
> Section 4.10.1 says:
> "Revocation entries on a CRL or OCSP Response MUST NOT be removed until after
> the Expiry Date of the revoked Certificate."
> In GlobalSign's Incident Report, within the section "Incident Timeline", they
> "13-Oct-16 12:20 Removal of cross signing certificate from the OCSP Database"
> So it seems that be un-publishing the revocation information for the Cross
> Certificate would indeed be a BR violation. But this is not an area of
> compliance I am familiar with.
I don't believe it is a BR violation. This requirement means that
correct certificate status must be published for the lifetime of the
certificate. The CA cannot simply cease publishing revocation
information because the customer tells them "I'm no longer using this
In the case of OCSP, the database referenced is an implementation
detail outside of the scope of the BRs. The BRs cover the responder
output (i.e. responses). As long as the responder is (a) returning a
response and (b) not returning 'good' for unissued certificates, I
think GlobalSign is in compliance.
dev-security-policy mailing list