Bruce, The answer would be yes because we check the validity of the root CA certificate and other CA certificates. Ben
On Thu, Mar 11, 2021 at 10:33 AM Ben Wilson <bwil...@mozilla.com> wrote: > Hi Bruce, > I think the answer is yes. A CA certificate is no longer trusted once it > has expired or been revoked (or added to OneCRL for subCAs) or removed > (roots). But I'm double-checking on the case of certificates with validity > periods that extend past the expiration of the root. > Ben > > On Thu, Mar 11, 2021 at 7:28 AM Bruce via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> On Saturday, March 6, 2021 at 11:17:53 PM UTC-5, bwi...@mozilla.com >> wrote: >> > Thanks, Bruce, for raising the issue of pre-generated, yet unassigned >> keys. >> > The intent was to cover this scenario. We are aware that CAs might >> > generate 1000s of keys in a partition and then years later assign a few >> of >> > them as CA keys, others as OCSP responder keys, etc., and some might >> never >> > be used. Presumably each of the keys would have an identifier and the >> CA >> > operator would maintain a list of those key identifiers for each >> partition. >> > The goal is to have an audited chain of custody for the keys, which >> could >> > also be based on the physical and logical protection of the HSM that is >> > holding them. >> > Key lifecycle documentation would consist of a documented key >> generation >> > ceremony (where such documentation is reviewed by an auditor). Then, >> > annually an auditor would review storage and access records for the >> HSM(s) >> > and the list of keys to see which ones had been used for CAs and which >> ones >> > had not. Then, as keys were destroyed (or if not, when the HSM is >> zeroized >> > at the end of the HSM's lifecycle), there would be an attestation of >> key >> > destruction that would be covered by an audit/auditor's statement. >> > On Fri, Mar 5, 2021 at 9:46 AM Bruce via dev-security-policy < >> > dev-secur...@lists.mozilla.org> wrote: >> > >> >> One more question for clarification as I want to make sure we understand >> how to get our practices updated to meet the Mozilla Policy. The >> requirement states "until the CA certificate is no longer trusted by >> Mozilla's root store." Can we confirm that a CA certificate is no longer >> trusted by the Mozilla root store if 1) it has expired or 2) it has been >> revoked and the OneCRL has been updated. Of course Mozilla may have other >> ways to no longer trust a CA certificate. >> _______________________________________________ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy >> > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy