Eddy Nigg (StartCom Ltd.) wrote: > Additionally there is no burden whatsoever on the certificate holder as > suggested in the response for having a revoked certificate listed in the > CRL forever...or please enlighten me about which burden they are talking > about.
If revoked certificates have to be listed even when expired, that means that expired certificates have to be revoked if the private key is compromised. So, the certificate holder has to continue to keep the key secure even after expiry. > /The RFC states that revoked certs must appear.../ > > The RFC states...??? Really? I don't believe it! RFC 3280, section 3.3: "An entry is added to the CRL as part of the next update following notification of revocation. An entry MUST NOT be removed from the CRL until it appears on one regularly scheduled CRL issued beyond the revoked certificate's validity period." > Revocation of a certificate is not something which should be taken > lightly - it certainly isn't equivalent to expiration. No-one is saying it is. But it is also pretty unlikely that a certificate would be revoked close to its expiration date. If a certificate is issued incorrectly, for example, these sort of things tend to be discovered rather quickly (like when the phisher sets up his site). Can you give a plausible and specific scenario where keeping certs in CRLs significantly past their expiration date would prevent some evil activity? > Why the insistence of the Webtrust monopole? How about *opening up the > guidelines and requirements for auditors without strings attached*, in > order to enable potential auditors worldwide to perform third party > audits? You're never satisfied, are you, Eddy? <sigh> What happened at the meeting was a big step forward towards allowing non-Webtrust auditors to do EV readiness audits. > Mozilla should request the publishing of the guidelines for auditors and > define requirements for auditors *without* any lock-in or requirements > of membership to any organization. Membership of the CAB Forum is now open to any organisation with an ETSI audit, and you don't have to have specially approved auditors to get one of those. Therefore, CAs with an ETSI audit can join the forum and push forward the effort we have started to open things up more. Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
