Hi Kathleen,
I have a question regarding the following language: "When a CRL entry is for an end-entity SSL certificate and the CRLReason code is one of the following as described below, then the reasonCode extension MUST be provided. When the CRLReason code is not one of the following, then the reasonCode extension MUST NOT be provided." Is the intention that historic revocations (i.e., revocation entries that first appeared on a CRL prior to the policy effective date) must be reviewed and updated, or is this requirement applicable only to those revocations performed after the new policy becomes effective? It would be good to have clarity here, as there was confusion when Microsoft announced their requirement for CA revocations to have a reason code in ARLs and it was unclear whether it was applicable to historic revocations or only to new revocations moving forward. Thanks, Corey From: [email protected] <[email protected]> On Behalf Of Kathleen Wilson Sent: Tuesday, January 4, 2022 6:13 PM To: [email protected] Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates All, I have updated the draft policy <https://docs.google.com/document/d/1ESakR4MiwyENyuLefyH2wG8rYbtnmG1xeSYvDNp S-EI/edit?usp=sharing> to get it ready for incorporation into Mozilla's Root Store Policy, and to address comments that people provided in the document. I will greatly appreciate it if you will carefully re-review the document <https://docs.google.com/document/d/1ESakR4MiwyENyuLefyH2wG8rYbtnmG1xeSYvDNp S-EI/edit?usp=sharing> and provide feedback on it. Additionally, I would like to begin discussing what sort of policy should be added in regards to making the revocation reasons available to certificate subscribers by the CA's tools and documentation. Here's a rough draft to get this discussion started: ~~ The CA's subscriber agreement for SSL end-entity certificates MUST inform certificate subscribers about the following revocation reason options and provide explanation about when to choose each option. Tools that the CA provides to the certificate subscriber MUST allow for these options to be easily specified when the certificate subscriber requests revocation of their certificate, with the default value being that no revocation reason is provided. - keyCompromise - superseded - cessationOfOperation - privilegeWithdrawn ~~ Thanks, Kathleen -- You received this message because you are subscribed to the Google Groups "[email protected] <mailto:[email protected]> " group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/c822471d -016f-45ef-9602-0e09a141244cn%40mozilla.org <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/c822471 d-016f-45ef-9602-0e09a141244cn%40mozilla.org?utm_medium=email&utm_source=foo ter> . -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/DM6PR14MB2186931BEABE052F4D6886F8924B9%40DM6PR14MB2186.namprd14.prod.outlook.com.
smime.p7s
Description: S/MIME cryptographic signature
