Section 6 of the Root Store Policy gives a list of reasons for revocation, as do the BRs. The BRs list is somewhat more comprehensive than ours; ours may be an earlier version of theirs.
We should remove the duplication by referencing the list in the BRs and add any extra ones we might need, bearing in mind that the BRs are only for TLS/SSL certificates, and our policy also covers S/MIME. Our existing list rather assumes SSL certificates (e.g. bullet 5). I can't think of any extra ones to add above and beyond those listed. So, proposed new text: "CAs MUST revoke Certificates that they have issued upon the occurrence of any event listed in the appropriate subsection of section 4.9.1 of the Baseline Requirements (for email certificates, not including those events specific to the inclusion of Domain Names)." Are there any circumstances under which Mozilla should require revocation which are not among those listed in the BRs? This is: https://github.com/mozilla/pkipolicy/issues/14 ------- This is a proposed update to Mozilla's root store policy for version 2.5. Please keep discussion in this group rather than on Github. Silence is consent. Policy 2.4.1 (current version): https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md Update process: https://wiki.mozilla.org/CA:CertPolicyUpdates _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy