I disagree. Revocation is the industry standard for cutting off issuance capability. In addition, there is no OneCRL for non-TLS, which means there's no other option on how you can define "technically not able to issue" other than revocation. If Mozilla wants to open OneCRL for all revoked intermediates that would change things, but, right now, revocation is the only way to do this.
-----Original Message----- From: [email protected] <[email protected]> On Behalf Of Hanno Böck Sent: Friday, June 24, 2022 12:37 PM To: [email protected] <[email protected]> Subject: Re: Draft May 2022 CA Communication and Survey On Fri, 24 Jun 2022 15:27:23 +0300 Dimitris Zacharopoulos <[email protected]> wrote: > I believe the requirement does not include the disclosure of Revoked > subCAs as they are not /"technically capable of issuing working server > or email certificates"/. I would like to point out that as far as I know very few implementations have strong revocation checks for intermediate certificates. I remember noticing that the OCSP for the Let's Encrypt intermediate was down, and for quite a while simply nobody noticed. So I would very much dispute that revoked subcas are not "technically capable of issuing working server or email certificates". -- Hanno Böck https://hboeck.de/ -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220624203654.34b68f20%40computer. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/BYAPR14MB2600AF35A5C798CA25AD34C38EB49%40BYAPR14MB2600.namprd14.prod.outlook.com.
