Hi,
BR section 8.7 (specifically the first paragraph) requires CAs to do a
self-audit at least every 3 months. Is this audit externalizable, e.g.
through hiring an audit firm to perform this 'self-audit', or must
this audit be done internally in the CA?
The wording implies 'internally', but by
On Wed, Sep 30, 2020 at 12:56 PM Rob Stradling via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> > I also read this language:
> > If a CRL entry is for a Certificate not subject to these Requirements
> and was either issued on-or-after 2020-09-30 or has a notBefore
Hi Doug. I didn't filter by any CRL fields, as per option (2) in my original
post.
From: Doug Beattie
Sent: Wednesday, September 30, 2020 17:53
To: Rob Stradling
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: Mandatory reasonCode analysis
Hi
That's probably true since CRL entries are published instead of issued and they
don't have a notBefore date.
Regardless, I can see why someone would read it as requiring an update for all
next published CRLs/OCSP given the historical way the BRs worked.
To be safe, we did update all of the
> I also read this language:
> If a CRL entry is for a Certificate not subject to these Requirements and was
> either issued on-or-after 2020-09-30 or has a notBefore on-or-after
> 2020-09-30, the CRLReason MUST NOT be certificateHold (6).
I think "was either issued on-or-after 2020-09-30 or
Hi Rob,
I'm not sure you filtered this report by "thisUpdate", maybe you did it by
nextUpdate by mistake?
The GlobalSign CRL on this report was created in 2016, thus the question.
Doug
-Original Message-
From: dev-security-policy On
Behalf Of Rob Stradling via dev-security-policy
This is a good question. I read the requirements as applying only to CRLs and
OCSP published after the effective date since the BRs always say explicitly
when they apply to items before the effective date.
I also read this language:
If a CRL entry is for a Certificate not subject to these
Starting today, the BRs require a reasonCode in CRLs and OCSP responses for
revoked CA certificates. Since crt.sh already monitors CRLs and keeps track of
reasonCodes, I thought I would conduct some analysis to determine the level of
(non)compliance with these new rules.
It's not clear to me
8 matches
Mail list logo