Dear all, I have a question about the revocation of the root certificate. I have not found "Reasons for Revoking a Root CA Certificate" chapter in the BRs.
I read the following in this CPS ( https://ecac.pki.gov.pk/repository/cps/ECAC_Certification_Authorities_CP_CPS_v1.4.pdf ) "1.4.1 Appropriate Certificate Uses For certificate issued to the NR-CA itself: it is a special class of self-signed certificate that being the trust anchor of the Pakistan PKI. The NR-CA certificate can be used for (...): - Sign CRLs containing the list of subscribers’ revoked certificates and of NR-CA revoked self-signed certificates," where "NR-CA" means "National Root CA". What do you think, is it an acceptable practice, if the Root CA revokes its self-signed certificate and puts this revocation information into the CARL signed by the (revoked(?)) Root CA private key? (Subscribers of the NR-CA are the subordinate CA owners only.) How to use this "suicide CRL"? I read in several places that the root CA certificate cannot be revoked. (e.g. https://security.stackexchange.com/questions/90254/can-a-rootca-be-revoked) Thank you in advance for any comments! Best Regards, Peter Tavis Ormandy a következőt írta (2022. augusztus 10., szerda, 21:10:13 UTC+2): > On Wed, Aug 10, 2022 at 06:57:32PM +0000, Jeremy Rowley wrote: > > The general instruction I got was you couldn’t use revocation as a > threat to keep customers from switching CAs. That was pretty clear from > Ryan. Other bad actions were implied as prohibited, like revocation just > because a contract terminated. Like I said, I’d love to see it written down > as an official policy as the bounds and applicability are hearsay. > > Thanks, I'll send some emails! > > On Wed, Aug 10, 2022 Matthew Hardeman wrote: > > This sounds less like it was about a customer amidst migration and more > like it was a "sell long validity cert on `credit` and collect payment over > cert lifetime". > > Hardly. Regardless, is revocation intended to protect trust in the > ecosystem, or as an asset recovery and reposession tool for the CA industry? > > I think it's the former. > > Tavis. > > -- > _o) $ lynx lock.cmpxchg8b.com > /\\ _o) _o) $ finger [email protected] > _\_V _( ) _( ) @taviso > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/4607eddf-5d61-4bdb-b589-fc19796d7f03n%40mozilla.org.
