Section 6 of the Root Store Policy gives a list of reasons for
revocation, as do the BRs. The BRs list is somewhat more comprehensive
than ours; ours may be an earlier version of theirs.

We should remove the duplication by referencing the list in the BRs and
add any extra ones we might need, bearing in mind that the BRs are only
for TLS/SSL certificates, and our policy also covers S/MIME.

Our existing list rather assumes SSL certificates (e.g. bullet 5). I
can't think of any extra ones to add above and beyond those listed.

So, proposed new text:

"CAs MUST revoke Certificates that they have issued upon the
occurrence of any event listed in the appropriate subsection of section
4.9.1 of the Baseline Requirements (for email certificates, not
including those events specific to the inclusion of Domain Names)."

Are there any circumstances under which Mozilla should require
revocation which are not among those listed in the BRs?

This is:


This is a proposed update to Mozilla's root store policy for version
2.5. Please keep discussion in this group rather than on Github. Silence
is consent.

Policy 2.4.1 (current version):
Update process:
dev-security-policy mailing list

Reply via email to