On 18/10/16 19:15, Ryan Sleevi wrote: > On Tuesday, October 18, 2016 at 10:52:19 AM UTC-7, Rob Stradling wrote: >> AIUI, it's permissible to "un-revoke" any certificate via OCSP, but it's >> only permissible to "un-revoke" a certificate via CRL if it was revoked >> with the reason code certificateHold. > > Which "permissible" are we talking about? BRs or 5280?
I was talking just about 5280 there. i.e. I believe my statement was correct insofar as it went. > While 5280 allows certificateHold, the BRs do not - see 4.9.13: > The Repository MUST NOT include entries that indicate that a Certificate is > suspended Thanks for finding that, Ryan. (I was pretty sure the BRs prohibited certificateHold, but...insufficient PDF searching fu ;-) ). <snip> -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy