Jakob, On Mon, Mar 19, 2018 at 9:48 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 17/03/2018 01:23, Wayne Thayer wrote: > > Note, that if it is reasonably certain/validated that the only activity > is maintaining CRLs/OCSP for the remaining unexpired certificates, then > most of the updated BR requirements (such as CAA, CT and stricter > validation methods) become noops, since no validations are being done, > no CAA strings are accepted, no new certificates are issued etc. > > I agree in practice, but if a WebTrust audit were to be conducted it would contain a number of qualifications, or as is the case here, no ETSI audit statement would be issued. We may thus be looking at the 12 months of an orderly shutdown of a > CA, as per section 5.8 of the standard CPS template, and might > reasonably consider accepting the lack of normal activity levels for > such a situation. The BRs and Mozilla policy seem silent on the > subject, > > Are you suggesting that we delay removal of this root until all leaf certificates expire? Are you suggesting that the BRs be modified so a CA that has ceased issuance can obtain a clean audit report without meeting all current BR requirements? The only critical thing that seems to be missing is a BR audit report to > confirm that no issuance is taking place and the revocation management > and CA private key protection is still being done properly. > > Continued audit reports are indeed critical to maintaining trust in a CA even after it has ceased issuance. - Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
