On Thu, Feb 15, 2024 at 12:47 AM Peter Mate Erdosi <[email protected]> wrote:
> So, we have an allowed solution, which provides three different > certificate status answers based on the verifier's software: > based on the CARL: > - good > - revoked > - crashed. > Right, which means that revocation of a self-signed root in this manner is not particularly useful or helpful. Meaningful, yes -- the CRL should be taken as very strong evidence that the root should no longer be trusted -- but not effective, as few if any clients will actually behave that way. > By the way, which nextUpdate should be inserted into the CARL containing > revoked Root CA certificate if > - not all subordinate CA certificates are revoked, or > - all subordinate CA certificates are revoked? > A date no more than 12 months beyond thisUpdate. The acceptable validity intervals do not depend on the status of the issuing CA. But thank you very much for asking this question, as you have caused me to realize that there seems to be a bug in the BRs regarding when Root CAs may stop issuing CRLs. I have filed https://github.com/cabforum/servercert/issues/484 to clarify the language in this section. Thanks, Aaron -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnEreMwFdh5X4KKPDMid60N6hjfsnT6GpWND-iEBZZfU1BMw%40mail.gmail.com.
