Hi Kathleen,
Juist some minor comments, nit-picks more than anything.. On this page https://wiki.mozilla.org/CA/Revocation_Reasons#CRLReason_Codes_for_End-Entity_TLS_Certificates you say that the subscriber can request renovation for reason privilegeWithdrawn, but only a CA can do that. We go back and fourth with subscribers providing a reason and what can/must be in the reasonCode extension. They are slightly different in that a cert can be revoked ONLY for 6 reasons (the 5 you list plus unspecified) listed but only 5 of those reasons end up being required in the reasonCode extension. I think it’s important to say you can revoke ONLY for these 6 reasons and that you MUSY provide the reason code for the 5 you’ve listed. I’d list them in order and also re-order the sections (just a suggestion) Consider something like this: TLS Certificates may be revoked ONLY for one of the following reasons: * unspecified (RFC 5280 CRLReason #0) * keyCompromise (RFC 5280 CRLReason #1) * affiliationChanged (RFC 5280 CRLReason #3) * superseded (RFC 5280 CRLReason #4) * cessationOfOperation (RFC 5280 CRLReason #5) * privilegeWithdrawn (RFC 5280 CRLReason #9)** The reasonCode extension must be used when any of the following reasons are used: * keyCompromise (RFC 5280 CRLReason #1) * affiliationChanged (RFC 5280 CRLReason #3) * superseded (RFC 5280 CRLReason #4) * cessationOfOperation (RFC 5280 CRLReason #5) * privilegeWithdrawn (RFC 5280 CRLReason #9)** Consider updating section 6.1 to say that the subscriber can revoke for reason #0 Unspecified, when none of the other reasons “make sense”. If you re-order the section numerically by reason code, then this would come first. * If none of the other reason codes are selected but the certificate needs to be revoked, then TLS certificates may be revoked with the unspecified reason Doug From: [email protected] <[email protected]> On Behalf Of Kathleen Wilson Sent: Tuesday, April 12, 2022 8:14 PM To: [email protected] Subject: DRAFT wiki.mozilla.org/CA/Revocation_Reasons All, I have started writing https://wiki.mozilla.org/CA/Revocation_Reasons and will greatly appreciate your feedback on it. Please let me know if there are other topics that should be covered in this new wiki page regarding the new section 6.1.1 that will be added to version 2.8 of Mozilla's Root Store Policy <https://github.com/BenWilson-Mozilla/pkipolicy/commit/060b169294da548a8de30ec65397aadab56f12fb> . Also, in the draft wiki page there is: "Currently there is not a standard way to demonstrate possession of the private key. Here are a few ways that CAs may confirm possession of the private key:" I will greatly appreciate it if you all will reply with your opinions about the best ways to prove possession of the private key for a TLS end-entity certificate. Thanks, Kathleen -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7fbc2fba-aa0a-4c2d-ae1e-2c6737801c2en%40mozilla.org <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7fbc2fba-aa0a-4c2d-ae1e-2c6737801c2en%40mozilla.org?utm_medium=email&utm_source=footer> . -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/TYZPR03MB61357001684817B86ADDA6E4F0EC9%40TYZPR03MB6135.apcprd03.prod.outlook.com.
smime.p7s
Description: S/MIME cryptographic signature
