All, Here are those changes as proposed in the previous email on this topic. https://github.com/BenWilson-Mozilla/pkipolicy/commit/644a665c434e6df8a4ab57e19583508d3fa7fcbd. The removed text can now be found here: https://wiki.mozilla.org/CA/Revocation_Reasons#End_Entity_TLS_Certificate_CRLRevocation_Reasons Unless I hear otherwise, I will assume that this closes discussions on this Issue #254. Ben
On Thu, Jun 22, 2023 at 11:04 AM Ben Wilson <bwil...@mozilla.com> wrote: > All, > > This email opens up discussion of our proposed resolution of GitHub Issue > #254 <https://github.com/mozilla/pkipolicy/issues/254>, “Harmonize CRL > Reason Codes with CA/B Forum Revocation Reasons”. > > We would like to reduce text in Mozilla’s Root Store Policy that is now > part of the CA/B Forum Baseline Requirements for TLS certificates (BRs). > > Proposal: > > - > > Move the sections currently in MRSP about each reason code into the > wiki page <https://wiki.mozilla.org/CA/Revocation_Reasons>. > - > > We want to maintain this information in the wiki page, because it > is useful to have a full list of applicable scenarios for each reason > code. > While these lists are in alignment with the CA/B Forum BRs, they contain > additional detail that is not in the BRs that we had specifically > discussed > and agreed to here in MDSP. > - > > Remove the duplicate text from MRSP, and have MRSP point to the CABF > BRs <https://cabforum.org/baseline-requirements/> and the wiki page > <https://wiki.mozilla.org/CA/Revocation_Reasons>. > - > > Make it very clear in the policy that the keyCompromise, > privilegeWithdrawn, and superseded CRLReasons must only be used for the > specific scenarios as stated in the BRs, otherwise they must not be used. > The “MUST NOT” part is not specified in the BRs, and is very important for > reason codes to be useful to certificate consumers. > - > > Note: The BRs do not specify all of the situations in which the > affiliationChanged and cessationOfOperation CRLReasons should be used, > so > this will not be part of the “MUST NOT” clause in MRSP. > > > Then section 6.1.1, “End Entity TLS Certificate CRLRevocation Reasons”, > could then be reduced to the following text. > > –Begin draft for MRSP– > > When an end entity TLS certificate (i.e. a certificate capable of being > used for TLS-enabled servers) is revoked for one of the reasons below, the > specified CRLReason MUST be included in the reasonCode extension of the CRL > entry corresponding to the end entity TLS certificate, as described in > sections 4.9.1 and 7.2.2 of the CA/Browser Forum Baseline Requirements. > > - > > keyCompromise (RFC 5280 CRLReason #1) > - > > affiliationChanged (RFC 5280 CRLReason #3) > - > > superseded (RFC 5280 CRLReason #4) > - > > cessationOfOperation (RFC 5280 CRLReason #5) > - > > privilegeWithdrawn (RFC 5280 CRLReason #9) > > The keyCompromise, superseded, and privilegeWithdrawn CRLReasons MUST > only be used for the situations listed in the CA/Browser Forum Baseline > Requirements as corresponding to these revocation reasons. Otherwise, the > keyCompromise, superseded, and privilegeWithdrawn CRLReasons MUST NOT be > used. > > Mozilla’s wiki page, "Revocation Reasons > <https://wiki.mozilla.org/CA/Revocation_Reasons>", provides further > details about when the CRLReasons listed above must and must not be used. > > –End draft for MRSP– > > Regards, > > Ben and Kathleen > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabuJ%3DfVidrpo_C50iW9ud7haE5EMs%3D6wad570V%3D%2BoDAVA%40mail.gmail.com.