On Wed, Sep 30, 2020 at 1:21 PM Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Wed, Sep 30, 2020 at 03:58:45PM +0000, Rob Stradling via > dev-security-policy wrote: > > Starting today, the BRs require a reasonCode in CRLs and OCSP responses > for revoked CA certificates. Since crt.sh already monitors CRLs and keeps > track of reasonCodes, I thought I would conduct some analysis to determine > the level of (non)compliance with these new rules. > > > > It's not clear to me if (1) the new BR rules should be applied only to > CRLs and OCSP responses with thisUpdate timestamps dated today or > afterwards, or if (2) every CRL and OCSP response currently being served by > distribution points and responders (regardless of the thisUpdate > timestamps) is required to comply. (I'd be interested to hear folks' > opinions on this). > > I read the text as that effect today, every CRL or OCSP get get > should comply with the requirements. It's also covers CA > certificates that were revoked in the past. > > The text talks about a CRL entry for a root CA. That it, a root CA > says it's own certificate has been revoked. That doesn't seem very > useful. > It's unambiguous, at least, since you can publish CRLs for Root CAs (and that's covered as part of the auditing criteria, FWIW), and also solves any issues with cross-certificates, by making it clear it's any CRL for anything with CA:TRUE, "regardless" of how its used. To Rob's question, the intent in drafting this requirement, which was an existing (and long-standing) requirement from Microsoft that is also consistent with past requests (not requirements) from Mozilla, Google, and Apple, is that revocation information is updated by this deadline. This was discussed during the balloting phase, precisely to allow CAs to schedule ceremonies to generate new CRLs to ensure that, as of the deadline, all revocation services provided were and are compliant. This was explicitly called out in https://github.com/cabforum/documents/pull/195 , which stated: "These requirements come into effect 2020-09-30, as issuing new CRLs requires a new ceremony." As of today (intentionally chosen to be a Wednesday, so that there were no beginning/end of week surprises), the published CRLs and OCSP responses available via the CA's repository were and are expected to comply with the profile set forth in the Baseline Requirements. A reasonCode was and is expected to be published today, and so the question is "Does the published CRL contain a reasonCode"? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy