On 27/04/17 00:16, Jeremy Rowley wrote:
> We also started the revocation process for the 500 certificates
> containing meta-data. However, we wanted to ask about the 1000
> certificates containing data indicating the field was not applicable.
> We recognize these were not properly issued, but I am curious whether
> revocation is required by Mozilla in this case. Should we start
> revoking those certificates as well despite the certificate
> information clearly not indicating a state/province? My thought is
> yes because of BR 4.9.1.1:
> 
> 9. The CA is made aware that the Certificate was not issued in
> accordance with these Requirements or the CA’s Certificate Policy or
> Certification Practice Statement;

What line in your CP or CPS is violated by these certs?

> I don't think #10 applies because the information is accurate - the
> field is not applicable: 10. The CA determines that any of the
> information appearing in the Certificate is inaccurate or
> misleading;

I agree that a "." or "-" instead of a field being empty is not
inaccurate or misleading. However, #10 also says "the CA determines", so
it's your view, not mine, which is most relevant :-)

Gerv
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to