Le vendredi 20 septembre 2013 20:44:23 UTC+2, Michael Ströder a écrit : > Kathleen Wilson wrote: > > Let’s start the policy discussion about preloading revocations of > > intermediate > > CA certificates. > > > > https://wiki.mozilla.org/CA:ImprovingRevocation#Preload_Revocations_of_Intermediate_CA_Certificates > > > > In particular, I’d like to discussion *when* a CA should notify Mozilla of a > > revocation of an intermediate certificate, so that certificate can be > > included > > in the revocation list push mechanism. > > I'd recommend that a CA puts a revoked sub-CA cert immediatley on its CRL. > So no need to inform Mozilla and no need for this insecure extra > process/mechanism at all.
The issuing CA will still have to revoke the sub-CA certificate, and publish its revoked status (CRL+OCSP). Some CAs have produced certificates without CRLDP or AIA:OCSP extension, revocation checking can't be performed for such certificates (hard-fail is a possible mitigation, but not a perfect one). OCSP responder certificates can't be revoked, that was made possible by RFC2560, and made mandatory by CABF BR. Mozilla proposes to use that notification mechanism to solve this. > Ah, the Mozilla developers removed CRL support...maybe Mozilla wants to > finally be the one-and-only super CA. Mozilla is already a super CA. Google, Microsoft, Adobe, Opera, Oracle, etc are all super CAs. Linux distribution vendors are also super CAs, because they too distribute root certificates (additional ones). _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
