> I also read this language: > If a CRL entry is for a Certificate not subject to these Requirements and was > either issued on-or-after 2020-09-30 or has a notBefore on-or-after > 2020-09-30, the CRLReason MUST NOT be certificateHold (6).
I think "was either issued on-or-after 2020-09-30 or has a notBefore on-or-after 2020-09-30" is talking about "a Certificate not subject to these Requirements", not about when the CRL was issued. ________________________________ From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> on behalf of Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org> Sent: 30 September 2020 17:41 To: Mozilla <mozilla-dev-security-pol...@lists.mozilla.org> Subject: RE: Mandatory reasonCode analysis CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. This is a good question. I read the requirements as applying only to CRLs and OCSP published after the effective date since the BRs always say explicitly when they apply to items before the effective date. I also read this language: If a CRL entry is for a Certificate not subject to these Requirements and was either issued on-or-after 2020-09-30 or has a notBefore on-or-after 2020-09-30, the CRLReason MUST NOT be certificateHold (6). Which made me think the language applied only to CRLs and OCSP issued after 9-30. However, the language does only reference certificateHold and not the inclusion of reasonCode language. That was the analysis I had anyway - that any CRLs and OCSP published after 9-30 had to have reasonCode. -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Rob Stradling via dev-security-policy Sent: Wednesday, September 30, 2020 9:59 AM To: dev-security-policy@lists.mozilla.org Subject: Mandatory reasonCode analysis Starting today, the BRs require a reasonCode in CRLs and OCSP responses for revoked CA certificates. Since crt.sh already monitors CRLs and keeps track of reasonCodes, I thought I would conduct some analysis to determine the level of (non)compliance with these new rules. It's not clear to me if (1) the new BR rules should be applied only to CRLs and OCSP responses with thisUpdate timestamps dated today or afterwards, or if (2) every CRL and OCSP response currently being served by distribution points and responders (regardless of the thisUpdate timestamps) is required to comply. (I'd be interested to hear folks' opinions on this). This gist contains my crt.sh query, the results as .tsv, and a .zip containing all of the referenced CRLs: https://gist.github.com/robstradling/3088dd622df8194d84244d4dd65ffd5f -- Rob Stradling Senior Research & Development Scientist Email: r...@sectigo.com Bradford, UK Office: +441274024707 Sectigo Limited This message and any files associated with it may contain legally privileged, confidential, or proprietary information. If you are not the intended recipient, you are not permitted to use, copy, or forward it, in whole or in part without the express consent of the sender. Please notify the sender by reply email, disregard the foregoing messages, and delete it immediately. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy