On Wed, Sep 30, 2020 at 03:58:45PM +0000, Rob Stradling via dev-security-policy wrote: > Starting today, the BRs require a reasonCode in CRLs and OCSP responses for > revoked CA certificates. Since crt.sh already monitors CRLs and keeps track > of reasonCodes, I thought I would conduct some analysis to determine the > level of (non)compliance with these new rules. > > It's not clear to me if (1) the new BR rules should be applied only to CRLs > and OCSP responses with thisUpdate timestamps dated today or afterwards, or > if (2) every CRL and OCSP response currently being served by distribution > points and responders (regardless of the thisUpdate timestamps) is required > to comply. (I'd be interested to hear folks' opinions on this).
I read the text as that effect today, every CRL or OCSP get get should comply with the requirements. It's also covers CA certificates that were revoked in the past. The text talks about a CRL entry for a root CA. That it, a root CA says it's own certificate has been revoked. That doesn't seem very useful. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy