The BRs define Repository as: Repository: An online database containing publicly-disclosed PKI governance documents (such as Certificate Policies and Certification Practice Statements) and Certificate status information, either in the form of a CRL or an OCSP response.
I see no evidence to support the idea that the scope of the term Repository in section 4.9.13 is limited to issuing CAs. Therefore, a strict reading of the BRs is that any BR-compliant root must not suspend any intermediate or end-entity certificate in the hierarchy. I can understand how this causes problems for CAs that rely on certificate suspension outside of TLS, and I have not been enforcing this strict interpretation, but I do think the BRs should be updated to solve this problem. - Wayne On Mon, Feb 4, 2019 at 10:07 AM Pedro Fuentes via dev-security-policy < [email protected]> wrote: > Well... my understanding is that “Repository” refers there to the one of > the Issuing CA, not the whole repository under a Root, because a Root could > have subordinates that don’t issue SSL, and for which suspension could be > allowed. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
