Glad to see you paying close attention to the Baseline Requirements changes!
On Thu, Aug 27, 2020 at 1:34 PM Sándor dr. Szőke via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Yes, that date comes from the Mozilla Root Program, but this requirement > is new for the other Root Programs and for the BR. > No, it's not. It's been a part of Microsoft's root program for even longer than Mozilla's, at https://docs.microsoft.com/en-us/security/trusted-root/program-requirements You can see this all discussed in the CA/B Forum as part of the ballot, if you need any assistance understanding where a change came from. > The other thing is that without having an indicated effect date, the > requirement can be interpreted in that way, that every valid Subordinate CA > certificate shall comply this requirement, even if it has been issued years > ago. > No, this is not correct. If you look closely at the changes that have been made to the BRs in the past, particularly around cleanup ballots, it's to remove effective dates that are in the past. The BRs describe what to do at time of issuance. They have always done just that. > I would just like to get confirmation that this requirement does not > mean that all subordinate CA certificates that are currently non-compliant > shall be revoked, which were issued prior to the effective date. > You'll need to work with your root program. Mozilla's effective date is just as it is stated, and Mozilla's policy says you are supposed to revoke if you violate a root program requirement, as per https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ If you've misissued according to another program, which may have an earlier date, you should work with that root program to figure the expectations for how to handle root program violations. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy