I updated
https://wiki.mozilla.org/CA/Revocation_Reasons#Communication_to_Subscribers
to add a sub-bullet under affiliationChanged:
" This option does not need to be made available by CAs who only issue
DV certificates that do not include any Subject Identity information."
Thanks,
Kathleen
On 6/24/22 2:01 PM, Ben Wilson wrote:
"Subject's Name" would refer to the Organization Name. We can clarify
that more.
On Fri, Jun 24, 2022 at 1:47 PM Jacob Hoffman-Andrews
<[email protected]> wrote:
On Fri, Jun 24, 2022 at 12:06 PM Ben Wilson <[email protected]>
wrote:
I think it would be appropriate to shield the
"affiliationChanged" reason code from appearing in your CRLs
when you only issue DV certificates, and they don't include
Subject Identity Information.
We intend to specify the same reasonCodes in both CRLs and OCSP
responses. The most straightforward choice would be for us to
reject subscriber revocation requests that specify
"affiliationChanged", requiring the subscriber to choose a more
correct reasonCode. A second choice would be to accept those
subscriber revocation requests but silently change them to
"unspecified" before writing to our storage.
- "subject's name" is not totally clear to me. From context
it seems like it means a subset of "subject identity
information" (specifically the Organization field), but that
would be redundant. Alternatively, it could refer to the
entire Subject field (which is encoded as an X.501 Name), but
then "subject identity information" would be a subset of
"name" and it would be redundant in the other direction.
Yes. We should have been more clear that Subject Identity
Information" refers to the definition in the BRs. We can make
this clearer in the guidance.
Sounds good! What about "subject's name" - what does that refer to?
--
You received this message because you are subscribed to the Google
Groups "[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaZzVgpk6p8DS9sxN-U%2B6rPqhgkeSu1hR42MEfnT9USVQ%40mail.gmail.com
<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaZzVgpk6p8DS9sxN-U%2B6rPqhgkeSu1hR42MEfnT9USVQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/bcccb636-5f6b-50c6-a8ce-0d95a321b4dc%40mozilla.com.
