On Tue, Mar 20, 2018 at 3:43 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 20/03/2018 18:49, Ryan Sleevi wrote: > >> On Tue, Mar 20, 2018 at 1:30 PM, Jakob Bohm via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >>> >>> Are you suggesting that the BRs be modified so a CA that has ceased >>> >>>> issuance can obtain a clean audit report without meeting all current BR >>>> requirements? >>>> >>>> >>>> I am suggesting that we consider what policy should be applied to the >>> (required!) capability of keeping revocation running for max cert >>> lifetime after a CA ceases to operate. >>> >>> >> The BRs already cover this. The point is that once a CA stops auditing, >> there's an issue about ensuring conformance. >> >> > Actually, they don't. They have an empty placeholder section for wind > down procedures. Surely one could blindly apply the full BRs to the > situation, which I am arguing against. > The BRs absolutely cover this. The empty placeholder section is there for CAs to describe their specific wind-down procedures (the BRs are often used as a starting point for CAs developing a CP, with the intent that CAs will fill out each section with their specific controls), but that does not mean that the BRs don't cover CAs that are winding down. And the BRs *should* cover this, because all that matters to BR scope is whether a CA is still technically capable of issuing certificates. Their own stated commitment to no longer issuing certificates is immaterial. I think it's not going to be productive to spend a lot of time on the list debating whether or not a CA can opt out of full BR compliance by simply saying "we're winding down and won't issue certificates anymore". From Mozilla's perspective, any root in their trust stores needs to be held to the same standard. -- Eric -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
