On Thu, Oct 1, 2020 at 6:39 AM Corey Bonnell via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> Although RFC 5280, section 5 [2] mandates that conforming CAs MUST produce
> v2 CRLs, the CAs issuing v1 CRLs pre-date any browser root requirements
> that mandate adherence to
ity-policy@lists.mozilla.org
Subject: Mandatory reasonCode analysis
Starting today, the BRs require a reasonCode in CRLs and OCSP responses for
revoked CA certificates. Since crt.sh already monitors CRLs and keeps track of
reasonCodes, I thought I would conduct some analysis to determine th
Hello,
as we are in the "list of shame" and as a way to ensure we are following these
discussions, I'd like to say that the OISTE CA that is referenced here (it's an
old intermediate CA expiring in December 2020, and its CRL contains some
unspecified revocations for Issuing CAs from 2015 and old
On Wed, Sep 30, 2020 at 12:56 PM Rob Stradling via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> > I also read this language:
> > If a CRL entry is for a Certificate not subject to these Requirements
> and was either issued on-or-after 2020-09-30 or has a notBefore on-or-af
On Wed, Sep 30, 2020 at 1:21 PM Kurt Roeckx via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Wed, Sep 30, 2020 at 03:58:45PM +, Rob Stradling via
> dev-security-policy wrote:
> > Starting today, the BRs require a reasonCode in CRLs and OCSP responses
> for revoked C
On Wed, Sep 30, 2020 at 03:58:45PM +, Rob Stradling via dev-security-policy
wrote:
> Starting today, the BRs require a reasonCode in CRLs and OCSP responses for
> revoked CA certificates. Since crt.sh already monitors CRLs and keeps track
> of reasonCodes, I thought I would conduct some ana
Hi Doug. I didn't filter by any CRL fields, as per option (2) in my original
post.
From: Doug Beattie
Sent: Wednesday, September 30, 2020 17:53
To: Rob Stradling
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: Mandatory reasonCode analysis
H
ubject: Re: Mandatory reasonCode analysis
> I also read this language:
> If a CRL entry is for a Certificate not subject to these Requirements and was
> either issued on-or-after 2020-09-30 or has a notBefore on-or-after
> 2020-09-30, the CRLReason MUST NOT be certificateHold (6).
I think
September 2020 17:41
To: Mozilla
Subject: RE: Mandatory reasonCode analysis
CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender and know the content
is safe.
This is a good question. I read the requirements as
security-policy
Sent: Wednesday, September 30, 2020 11:59 AM
To: dev-security-policy@lists.mozilla.org
Subject: Mandatory reasonCode analysis
Starting today, the BRs require a reasonCode in CRLs and OCSP responses for
revoked CA certificates. Since crt.sh already monitors CRLs and keeps track
of
: dev-security-policy@lists.mozilla.org
Subject: Mandatory reasonCode analysis
Starting today, the BRs require a reasonCode in CRLs and OCSP responses for
revoked CA certificates. Since crt.sh already monitors CRLs and keeps track of
reasonCodes, I thought I would conduct some analysis to
Starting today, the BRs require a reasonCode in CRLs and OCSP responses for
revoked CA certificates. Since crt.sh already monitors CRLs and keeps track of
reasonCodes, I thought I would conduct some analysis to determine the level of
(non)compliance with these new rules.
It's not clear to me i
12 matches
Mail list logo