On Thursday, July 2, 2020 at 12:06:22 AM UTC+3, Ryan Sleevi wrote:
> Unfortunately, revocation of this certificate is simply not enough to
> protect Mozilla TLS users. This is because this Sub-CA COULD provide OCSP
> for itself that would successfully validate, AND provide OCSP for other
> revoked sub-CAs, even if it was revoked.

If I understand correctly, the logic behind the proposal to destroy 
intermediate CA private key now, is to avoid a situation that in case this 
intermediate CA private key is later compromised the intermediate CA becomes 
non-revocable until it expires.

So the action now is required to mitigate a potential security risk that can 
materialize later.

Can't the affected CAs decide on their own whether to destroy the intermediate 
CA private key now, or in case the affected intermediate CA private key is 
later compromised, revoke the root CA instead?
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to