Hi Kathleen, The section entitled “OCSP” [1] says:
“Mozilla does not expect there to be CRLReasons in OCSP responses for TLS end-entity certificates. Section 7.3.2 of the BRs says: The singleExtensions of an OCSP response MUST NOT contain the reasonCode (OID 2.5.29.21) CRL entry extension.” Is the statement “Mozilla does not expect there to be CRLReasons in OCSP responses for TLS end-entity certificates” stating that Mozilla would prefer that CRLReason not be included in OCSP responses (in the RevokedInfo.revocationReason), or is it re-iterating the BR requirement that the reovcationReason field MUST be used instead of the reasonCode CRL entry extension to convey the reasonCode? I think it’s the latter, but I’d like to confirm. Additionally, I’m not sure of the intent behind the following text in the OCSP section: “The BRs say the following in relation to certificateHold: * Section 7.2.2: the CRLReason MUST NOT be certificateHold * Section 7.3 (OCSP Profile): the CRLReason indicated MUST contain a value permitted for CRLs, as specified in Section 7.2.2.” This seems duplicative of the prohibition on certificateHold in “Banned Revocation Reasons”, so I’m unsure why it is reiterated in the OCSP section. Thanks, Corey [1] https://wiki.mozilla.org/CA/Revocation_Reasons#OCSP From: [email protected] <[email protected]> On Behalf Of Kathleen Wilson Sent: Tuesday, April 12, 2022 8:14 PM To: [email protected] Subject: DRAFT wiki.mozilla.org/CA/Revocation_Reasons All, I have started writing https://wiki.mozilla.org/CA/Revocation_Reasons and will greatly appreciate your feedback on it. Please let me know if there are other topics that should be covered in this new wiki page regarding the new section 6.1.1 that will be added to version 2.8 of Mozilla's Root Store Policy <https://github.com/BenWilson-Mozilla/pkipolicy/commit/060b169294da548a8de30ec65397aadab56f12fb> . Also, in the draft wiki page there is: "Currently there is not a standard way to demonstrate possession of the private key. Here are a few ways that CAs may confirm possession of the private key:" I will greatly appreciate it if you all will reply with your opinions about the best ways to prove possession of the private key for a TLS end-entity certificate. Thanks, Kathleen -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7fbc2fba-aa0a-4c2d-ae1e-2c6737801c2en%40mozilla.org <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7fbc2fba-aa0a-4c2d-ae1e-2c6737801c2en%40mozilla.org?utm_medium=email&utm_source=footer> . -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/DM6PR14MB21860D2A26E8285C61E16CF092F39%40DM6PR14MB2186.namprd14.prod.outlook.com.
smime.p7s
Description: S/MIME cryptographic signature
