On Wed, Sep 30, 2020 at 12:56 PM Rob Stradling via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > I also read this language: > > If a CRL entry is for a Certificate not subject to these Requirements > and was either issued on-or-after 2020-09-30 or has a notBefore on-or-after > 2020-09-30, the CRLReason MUST NOT be certificateHold (6). > > I think "was either issued on-or-after 2020-09-30 or has a notBefore > on-or-after 2020-09-30" is talking about "a Certificate not subject to > these Requirements", not about when the CRL was issued. > Yes. Yet another reason I think our approach to stating requirements in "plain English" does more harm than good. The correct parse tree: If a CRL entry is for: * a Certificate not subject to these Requirements; and * either: * was issued on-or-after 2020-09-30; or * has a notBefore on-or-after 2020-09-30 then: * the CRLReason MUST NOT be certificateHold (6). This was hoped to be "obvious", given that a "CRL entry" (a specific thing within a CRL, c.f. https://tools.ietf.org/html/rfc5280#section-5.3 and X.509) is neither issued nor has a notBefore. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy