On Wed, Feb 23, 2022 at 11:10 PM Kathleen Wilson <[email protected]> wrote:
> These banned reason codes are either already banned by the BRs or they are > not applicable to end-entity TLS certificates. Below is a detailed > explanation for each of them. > [...] > cACompromise (2) > This reason code is used when revoking an intermediate certificate. > When an intermediate certificate is revoked and added to OneCRL all > certificates signed by that intermediate certificate are also treated as > revoked. > https://www.ccadb.org/policy#4-intermediate-certificates says: "If an > intermediate certificate is revoked, the CCADB must be updated to mark it > as revoked, giving the reason why, within 24 hours for a security incident, > and within 7 days for any other reason." > Section 4.1 of Mozilla's Root Store Policy says: "If the revocation of an > intermediate certificate chaining up to a root in Mozilla’s root program is > due to a security concern, as well as performing the actions defined in the > CCADB Policy, a security bug must be filed in Bugzilla > <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&groups=crypto-core-security> > ." > Is batch revoking leaf certificates because its CA (be it key or infrastructure) was compromised (e.g. DigiNotar) not supposed to use cACompromise as OCSP response? As in, in such cases there might have been no affiliation that could have changed, no new certificate subject information to supersede the revoked, no given privilige to withdraw, and no operation that is being ceased. Additionally, the key compromised is not that of the leaf certificate. Why not allow the use of cACompromise in such situations to allow accurate OSCP responses? Note that this allows the relying party to evict the OCSP caches of the signing certificate; potentially improving on the revocation latency induced by the OneCRL distribution process (Firefox's default "security.onecrl.maximum_staleness_in_seconds" setting is 108000, or 30 hours), and improves securty by faster revocation marking of the parent ca when OneCRL is not included in the program. - Matthias -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAAT_OQs5_5eL69UCiBV4a5w5bYWqPaj%2Baty5DMbZ58SvVcHcxQ%40mail.gmail.com.
