Hi Ben,

 

I provided a few comments to Kathleen which she incorporated into the WIKI as 
guidance, but wondered if some of them should be reflected in the Mozilla 
policy as well.  Specifically I don’t think the policy is clear that there are 
exactly 6 valid reasons (5 of which MUST be contained in the CRL).  This is 
just a suggestion, nothing major

 

1) The policy does not explicitly prohibit the use of reason codes other than 
the list below for the revocation of TLS certificates.  I think it should be 
crystal clear, the same as Kathleen’s updates to the wiki.  The following 
reason codes are permitted in CRLs.  All others are prohibited.

 

*       keyCompromise (RFC 5280 CRLReason #1)
*       affiliationChanged (RFC 5280 CRLReason #3)
*       superseded (RFC 5280 CRLReason #4)
*       cessationOfOperation (RFC 5280 CRLReason #5)
*       privilegeWithdrawn (RFC 5280 CRLReason #9)**

 

 

2) the policy does not say that CAs or Subscribers can use the unspecified 
reason code.  I think this should be explicitly called out as a valid reason 
code (although, it’s not to be included into the CRL)



 

I’d recommend adding something like this:

 

TLS certificates (i.e. a certificates capable of being used for TLS-enabled 
servers) maybe  revoked for any of the following reasons.  No other reasons are 
permitted.

 

*       unspecified (RFC 5280 CRLReason #0)
*       keyCompromise (RFC 5280 CRLReason #1)
*       affiliationChanged (RFC 5280 CRLReason #3)
*       superseded (RFC 5280 CRLReason #4)
*       cessationOfOperation (RFC 5280 CRLReason #5)
*       privilegeWithdrawn (RFC 5280 CRLReason #9)**

 

The following reason codes MUST appear in the CRL when revoked for these 
reasons:

*       keyCompromise (RFC 5280 CRLReason #1)
*       affiliationChanged (RFC 5280 CRLReason #3)
*       superseded (RFC 5280 CRLReason #4)
*       cessationOfOperation (RFC 5280 CRLReason #5)
*       privilegeWithdrawn (RFC 5280 CRLReason #9)**

 

** The privilegeWithdrawn reasonCode does not need to be made available to the 
certificate subscriber as a revocation reason option, because the use of this 
reasonCode is determined by the CA and not the subscriber.

 

 

 

From: [email protected] <[email protected]> On 
Behalf Of Ben Wilson
Sent: Wednesday, April 13, 2022 1:18 PM
To: [email protected] <[email protected]>
Subject: Policy 2.8: Final Review of MRSP v. 2.8

 

All,

 

Here are links helpful during your final review of version 2.8 of the Mozilla 
Root Store Policy (MRSP) :

 

https://github.com/BenWilson-Mozilla/pkipolicy/blob/2.8/rootstore/policy.md

https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:2.8 
(redlined) 

 

Please review the changes and provide any additional comments by the end of 
Tuesday, April 19, 2022.

 

My plan is to move this version over to the Mozilla pkipolicy repository on 
Github <https://github.com/mozilla/pkipolicy/tree/master/rootstore> , and then 
I'll request that it be published on Mozilla's website 
<https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/>
  to replace version 2.7.1.

 

Thanks,

 

Ben

-- 
You received this message because you are subscribed to the Google Groups 
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected] 
<mailto:[email protected]> .
To view this discussion on the web visit 
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaby8DypMdN2ih3xF_nf0FoshtaKUes-KC%2Baxfi-3cRiqw%40mail.gmail.com
 
<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaby8DypMdN2ih3xF_nf0FoshtaKUes-KC%2Baxfi-3cRiqw%40mail.gmail.com?utm_medium=email&utm_source=footer>
 .

-- 
You received this message because you are subscribed to the Google Groups 
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/PUZPR03MB6129898A02126A895661AD23F0EF9%40PUZPR03MB6129.apcprd03.prod.outlook.com.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to