On Thu, Dec 27, 2018 at 8:43 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> So absent a bad CA, I wonder where there is a rule that subscribers > should be ready to quickly replace certificates due to actions far > outside their own control. Consider the following cases: - A company grows and moves to larger office space down the street. It turns out that the new office is in a different city even though the move was only two blocks away. The accounting department sends the CA a move notice so the CA sends invoices to the new address. Does this mean the CA has to revoke all existing certificates in 5 days? - Widget LLC is a startup with widgetco.example. They want to take investment so they change to a C-corp and become Widget, Inc. Widget Inc now is the registrant for widgetco.example. Does this now trigger the 5 day rule? - Same example as above, but the company doesn't remember to update the domain registration. It therefore is invalid, as it points to a non-existence entity. Does this trigger the 5 day rule? - The IETF publishes a new RFC that "Updates: 5280 <https://tools.ietf.org/html/rfc5280>". It removes a previously valid feature in certificates. Do all certificates using this feature need to be revoked within 5 days? - The IETF publishes a new RFC that "Updates: 5280 <https://tools.ietf.org/html/rfc5280>". It says it update 5280 as follows: Old: Conforming CAs SHOULD use the UTF8String encoding for explicitText, but MAY use IA5String. Conforming CAs MUST NOT encode explicitText as VisibleString or BMPString. NeW: Conforming CAs SHOULD use the UTF8String encoding for explicitText. VisibleString or BMPString are acceptable but less preferred alternatives. Conforming CAs MUST NOT encode explicitText as IA5String. Must a CA revoke all certificates that use IA5String? - A customer has a registered domain name that has characters that current internationalized domain name RFCs do not allow (for example xn--df-oiy.ws/✪ df.ws). A CA issues because this is a registered domain name according to the responsible TLD registry. Must this be revoked within 5 days if the CA notices? - A customer has a certificate with a single domain name in the SAN which is an internationalized domain name. The commonName attribute in the subject contains the IDN. However the CN attribute uses U-labels while the SAN uses A-labels. Whether this is allowed has been the subject of debate at the CA/Browser Forum as neither BRs nor RFCs make this clear. Do any certificates using U-labels in the CN need to be revoked? The list can continue to go on, but I bring these up as examples of reasonable cases that may have surprising results. Thanks, Peter The list goes on, but _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy