Hi,

While Japanese ApplicationCA2 Root has been rejected as a Root CA [1] and is no 
longer in operation [2],
I become aware of CRL endpoint of both the CA and at least one of sub-CA is 
unavailable.

a sub-CA: https://crt.sh/?id=9341006
leaf certificate issued from the sub-CA: https://crt.sh/?id=524524172
(you can browse all issued certificates from the sub-CA with 
https://crt.sh/?Identity=%25&iCAID=1419)

Both of them was revoked but CRL endpoint is unavailable now with HTTP 404 
error response.
OCSP also fails.

Is it OK to abandon CRL for the decommissioned CA even if there are still 
unexpired certificates?
The certificates was revoked but we have no way to validate it in a PKI-ish 
manner...

Sorry if it is off-topic because the CA has never been approved as Root CA by 
Mozilla.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=870185
[2] https://www.gpki.go.jp/apca2/ (only in Japanese)

Sincerely,

-- 
Nenyotoso
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to