Hi Aaron, > A date no more than 12 months beyond thisUpdate. The acceptable validity > intervals do not depend on the status of the issuing CA.
Agreed on no more than 12 months, but for a different reason. If there is no longer a valid certification path from a root trusted in Mozilla to the issuing CA in question, then that issuing CA is no longer in scope of policy and thus is relieved of all compliance requirements, including those regarding its publication of revocation information about certificates it has issued. For example, a subordinate TLS serverauth CA that no longer has a valid certification path to a Mozilla-trusted root no longer needs to issue CRLs for end-entity certificates it may have issued. However, as I mentioned in my previous email, roots are not removed from Mozilla policy scope by the CA revoking the self-signed certificate through publication of a CRL. Rather, they are removed from scope by Mozilla removing them from its root store. Until that removal occurs, the root CA must continue to be operated in accordance with root program policy, which would include compliance with the BRs. Specifically, this would include the issuance and publication of CRLs for the certificates it has issued in accordance with the requirements in the BRs (i.e., issue CRLs at least once every 12 months). Thanks, Corey From: Aaron Gable <[email protected]> Sent: Thursday, February 15, 2024 11:38 AM To: Peter Mate Erdosi <[email protected]> Cc: Corey Bonnell <[email protected]>; [email protected] Subject: Re: BR revocation question On Thu, Feb 15, 2024 at 12:47 AM Peter Mate Erdosi <[email protected] <mailto:[email protected]> > wrote: So, we have an allowed solution, which provides three different certificate status answers based on the verifier's software: based on the CARL: - good - revoked - crashed. Right, which means that revocation of a self-signed root in this manner is not particularly useful or helpful. Meaningful, yes -- the CRL should be taken as very strong evidence that the root should no longer be trusted -- but not effective, as few if any clients will actually behave that way. By the way, which nextUpdate should be inserted into the CARL containing revoked Root CA certificate if - not all subordinate CA certificates are revoked, or - all subordinate CA certificates are revoked? A date no more than 12 months beyond thisUpdate. The acceptable validity intervals do not depend on the status of the issuing CA. But thank you very much for asking this question, as you have caused me to realize that there seems to be a bug in the BRs regarding when Root CAs may stop issuing CRLs. I have filed https://github.com/cabforum/servercert/issues/484 to clarify the language in this section. Thanks, Aaron -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/DM6PR14MB2186C134918B0A66DE9B051D924D2%40DM6PR14MB2186.namprd14.prod.outlook.com.
smime.p7s
Description: S/MIME cryptographic signature
