All, This email opens up discussion of our proposed resolution of GitHub Issue #254 <https://github.com/mozilla/pkipolicy/issues/254>, “Harmonize CRL Reason Codes with CA/B Forum Revocation Reasons”.
We would like to reduce text in Mozilla’s Root Store Policy that is now part of the CA/B Forum Baseline Requirements for TLS certificates (BRs). Proposal: - Move the sections currently in MRSP about each reason code into the wiki page <https://wiki.mozilla.org/CA/Revocation_Reasons>. - We want to maintain this information in the wiki page, because it is useful to have a full list of applicable scenarios for each reason code. While these lists are in alignment with the CA/B Forum BRs, they contain additional detail that is not in the BRs that we had specifically discussed and agreed to here in MDSP. - Remove the duplicate text from MRSP, and have MRSP point to the CABF BRs <https://cabforum.org/baseline-requirements/> and the wiki page <https://wiki.mozilla.org/CA/Revocation_Reasons>. - Make it very clear in the policy that the keyCompromise, privilegeWithdrawn, and superseded CRLReasons must only be used for the specific scenarios as stated in the BRs, otherwise they must not be used. The “MUST NOT” part is not specified in the BRs, and is very important for reason codes to be useful to certificate consumers. - Note: The BRs do not specify all of the situations in which the affiliationChanged and cessationOfOperation CRLReasons should be used, so this will not be part of the “MUST NOT” clause in MRSP. Then section 6.1.1, “End Entity TLS Certificate CRLRevocation Reasons”, could then be reduced to the following text. –Begin draft for MRSP– When an end entity TLS certificate (i.e. a certificate capable of being used for TLS-enabled servers) is revoked for one of the reasons below, the specified CRLReason MUST be included in the reasonCode extension of the CRL entry corresponding to the end entity TLS certificate, as described in sections 4.9.1 and 7.2.2 of the CA/Browser Forum Baseline Requirements. - keyCompromise (RFC 5280 CRLReason #1) - affiliationChanged (RFC 5280 CRLReason #3) - superseded (RFC 5280 CRLReason #4) - cessationOfOperation (RFC 5280 CRLReason #5) - privilegeWithdrawn (RFC 5280 CRLReason #9) The keyCompromise, superseded, and privilegeWithdrawn CRLReasons MUST only be used for the situations listed in the CA/Browser Forum Baseline Requirements as corresponding to these revocation reasons. Otherwise, the keyCompromise, superseded, and privilegeWithdrawn CRLReasons MUST NOT be used. Mozilla’s wiki page, "Revocation Reasons <https://wiki.mozilla.org/CA/Revocation_Reasons>", provides further details about when the CRLReasons listed above must and must not be used. –End draft for MRSP– Regards, Ben and Kathleen -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaa74FpUynC_dv67GV8dZsZWrztSBEb4zof1rUSiD97bSQ%40mail.gmail.com.
