Hi Ben,
I provided a few comments to Kathleen which she incorporated into the WIKI as guidance, but wondered if some of them should be reflected in the Mozilla policy as well. Specifically I don’t think the policy is clear that there are exactly 6 valid reasons (5 of which MUST be contained in the CRL). This is just a suggestion, nothing major 1) The policy does not explicitly prohibit the use of reason codes other than the list below for the revocation of TLS certificates. I think it should be crystal clear, the same as Kathleen’s updates to the wiki. The following reason codes are permitted in CRLs. All others are prohibited. * keyCompromise (RFC 5280 CRLReason #1) * affiliationChanged (RFC 5280 CRLReason #3) * superseded (RFC 5280 CRLReason #4) * cessationOfOperation (RFC 5280 CRLReason #5) * privilegeWithdrawn (RFC 5280 CRLReason #9)** 2) the policy does not say that CAs or Subscribers can use the unspecified reason code. I think this should be explicitly called out as a valid reason code (although, it’s not to be included into the CRL) I’d recommend adding something like this: TLS certificates (i.e. a certificates capable of being used for TLS-enabled servers) maybe revoked for any of the following reasons. No other reasons are permitted. * unspecified (RFC 5280 CRLReason #0) * keyCompromise (RFC 5280 CRLReason #1) * affiliationChanged (RFC 5280 CRLReason #3) * superseded (RFC 5280 CRLReason #4) * cessationOfOperation (RFC 5280 CRLReason #5) * privilegeWithdrawn (RFC 5280 CRLReason #9)** The following reason codes MUST appear in the CRL when revoked for these reasons: * keyCompromise (RFC 5280 CRLReason #1) * affiliationChanged (RFC 5280 CRLReason #3) * superseded (RFC 5280 CRLReason #4) * cessationOfOperation (RFC 5280 CRLReason #5) * privilegeWithdrawn (RFC 5280 CRLReason #9)** ** The privilegeWithdrawn reasonCode does not need to be made available to the certificate subscriber as a revocation reason option, because the use of this reasonCode is determined by the CA and not the subscriber. From: [email protected] <[email protected]> On Behalf Of Ben Wilson Sent: Wednesday, April 13, 2022 1:18 PM To: [email protected] <[email protected]> Subject: Policy 2.8: Final Review of MRSP v. 2.8 All, Here are links helpful during your final review of version 2.8 of the Mozilla Root Store Policy (MRSP) : https://github.com/BenWilson-Mozilla/pkipolicy/blob/2.8/rootstore/policy.md https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:2.8 (redlined) Please review the changes and provide any additional comments by the end of Tuesday, April 19, 2022. My plan is to move this version over to the Mozilla pkipolicy repository on Github <https://github.com/mozilla/pkipolicy/tree/master/rootstore> , and then I'll request that it be published on Mozilla's website <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/> to replace version 2.7.1. Thanks, Ben -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaby8DypMdN2ih3xF_nf0FoshtaKUes-KC%2Baxfi-3cRiqw%40mail.gmail.com <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaby8DypMdN2ih3xF_nf0FoshtaKUes-KC%2Baxfi-3cRiqw%40mail.gmail.com?utm_medium=email&utm_source=footer> . -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/PUZPR03MB6129898A02126A895661AD23F0EF9%40PUZPR03MB6129.apcprd03.prod.outlook.com.
smime.p7s
Description: S/MIME cryptographic signature
