On 30/12/2021 12:11 π.μ., Kathleen Wilson wrote:
2) Per the feedback from Wendy (here
<https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/Cls1b2iuOLU/m/-wAFl43kCwAJ>)
I replaced "affiliationChanged (3)" with "cessationOfOperation (5)" in
the proposed text, because despite the previously referenced document
<https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc700843(v=technet.10)>
about revocation reasons, I agree with Wendy that cessationOfOperation
makes more sense in regards to a TLS certificate no longer being
needed because the website it was used in has been taken down or the
certificate subscriber no longer owns the domain name(s) in the
certificate. Whereas affiliationChanged seems to be about how a person
is associated with an organization.
I am not so sure that "affiliationChanged (3)" is not applicable for TLS
certificates. According to the X.509 section 9.5.3.1 language:
* *affiliationChanged* indicates that the subject's name or other
information in the public-key certificate has been modified but
there is no cause to suspect that the private key has been compromised.
* *superseded *indicates that the public-key certificate has been
superseded but there is no cause to suspect that the private key has
been compromised.
So, if a company is changing name and there are OV/EV Certificates with
the official legal name included, these certificates need to be changed
and include the new legal name. In that case, affiliationChanged makes
sense to me.
If the current proposal is adopted, because of "If the certificate is
revoked for a reason not listed below, then the reasonCode extension
MUST NOT be provided in the CRL.", many CAs using the affiliationChanged
reason in their practices will be out of compliance.
Dimitris.
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2c4d3231-4d68-8ba5-7a02-13ce1d7b2340%40it.auth.gr.
