On 12/12/13 00:25, Kathleen Wilson wrote:
<snip>
From Rob:
Kathleen, are you saying that "must expire by the end of 2013" is a
"revocation requirement" ?
Expiration != Revocation.
Is there actually a requirement that says "By the end of 2013, CAs
MUST revoke all unexpired certificates with <2048-bit RSA keys" ?
If so, where is it written and when was it communicated to the CAs?
(If it's not actually written anywhere, then can you actually enforce
it?)
In BR Appendix A
Subscriber Certificates
Minimum RSA modulus
"Validity period ending on or before 31 Dec 2013"
1024
"Validity period ending after 31 Dec 2013"
2048
Sure, and BRs Section 13.1.5 says:
"The CA SHALL revoke a (Subscriber) Certificate within 24 hours if
...
9. The CA is made aware that the Certificate was not issued in
accordance with these Requirements..."
Sorry, I should have mentioned that I'm thinking primarily about
long-lived certificates that were issued before the BRs became
effective. BRs Section 1 says:
"Except where explicitly stated otherwise, these requirements apply
only to relevant events that occur on or after the Effective Date."
Where is it written that <2048-bit certs that predate the BRs need to be
revoked by end of 2013?
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
