BRs 8.7 Self-Audits - externalizable?

2020-09-30 Thread Matthias van de Meent via dev-security-policy
Hi, BR section 8.7 (specifically the first paragraph) requires CAs to do a self-audit at least every 3 months. Is this audit externalizable, e.g. through hiring an audit firm to perform this 'self-audit', or must this audit be done internally in the CA? The wording implies 'internally', but by

Re: Mandatory reasonCode analysis

2020-09-30 Thread Ryan Sleevi via dev-security-policy
On Wed, Sep 30, 2020 at 12:56 PM Rob Stradling via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I also read this language: > > If a CRL entry is for a Certificate not subject to these Requirements > and was either issued on-or-after 2020-09-30 or has a notBefore

Re: Mandatory reasonCode analysis

2020-09-30 Thread Rob Stradling via dev-security-policy
Hi Doug. I didn't filter by any CRL fields, as per option (2) in my original post. From: Doug Beattie Sent: Wednesday, September 30, 2020 17:53 To: Rob Stradling Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Mandatory reasonCode analysis Hi

RE: Mandatory reasonCode analysis

2020-09-30 Thread Jeremy Rowley via dev-security-policy
That's probably true since CRL entries are published instead of issued and they don't have a notBefore date. Regardless, I can see why someone would read it as requiring an update for all next published CRLs/OCSP given the historical way the BRs worked. To be safe, we did update all of the

Re: Mandatory reasonCode analysis

2020-09-30 Thread Rob Stradling via dev-security-policy
> I also read this language: > If a CRL entry is for a Certificate not subject to these Requirements and was > either issued on-or-after 2020-09-30 or has a notBefore on-or-after > 2020-09-30, the CRLReason MUST NOT be certificateHold (6). I think "was either issued on-or-after 2020-09-30 or

RE: Mandatory reasonCode analysis

2020-09-30 Thread Doug Beattie via dev-security-policy
Hi Rob, I'm not sure you filtered this report by "thisUpdate", maybe you did it by nextUpdate by mistake? The GlobalSign CRL on this report was created in 2016, thus the question. Doug -Original Message- From: dev-security-policy On Behalf Of Rob Stradling via dev-security-policy

RE: Mandatory reasonCode analysis

2020-09-30 Thread Jeremy Rowley via dev-security-policy
This is a good question. I read the requirements as applying only to CRLs and OCSP published after the effective date since the BRs always say explicitly when they apply to items before the effective date. I also read this language: If a CRL entry is for a Certificate not subject to these

Mandatory reasonCode analysis

2020-09-30 Thread Rob Stradling via dev-security-policy
Starting today, the BRs require a reasonCode in CRLs and OCSP responses for revoked CA certificates. Since crt.sh already monitors CRLs and keeps track of reasonCodes, I thought I would conduct some analysis to determine the level of (non)compliance with these new rules. It's not clear to me