On Thursday, July 2, 2020 at 12:06:22 AM UTC+3, Ryan Sleevi wrote: > Unfortunately, revocation of this certificate is simply not enough to > protect Mozilla TLS users. This is because this Sub-CA COULD provide OCSP > for itself that would successfully validate, AND provide OCSP for other > revoked sub-CAs, even if it was revoked.
If I understand correctly, the logic behind the proposal to destroy intermediate CA private key now, is to avoid a situation that in case this intermediate CA private key is later compromised the intermediate CA becomes non-revocable until it expires. So the action now is required to mitigate a potential security risk that can materialize later. Can't the affected CAs decide on their own whether to destroy the intermediate CA private key now, or in case the affected intermediate CA private key is later compromised, revoke the root CA instead? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy