Re: Clarification of disclosure - Only those Issuing or all?

Mon, 02 Jun 2014 17:43:59 -0700 

On 5/28/14, 5:17 PM, Kathleen Wilson wrote:

On 5/22/14, 3:53 PM, Kathleen Wilson wrote:

On 5/22/14, 1:18 PM, Kurt Roeckx wrote:

On Thu, May 22, 2014 at 02:57:26PM -0500, Steve Roylance wrote:

Hi Kathleen,



The policy group responsible for control of our certificates and keys
have a
question for you concerning the disclosure requirements.



We have a number of CAs in 'CRL/OCSP only' mode where certificate
issuance

<snip>


After further consideration, I am now of the opinion that we should
collect some information about subordinate CAs in this mode.

I could create another spreadsheet for SubCAs that are in CRL/OCSP mode,
and it could have columns for
Name of SubCA (optional)
SubCA Cert's Issuer Hash
SubCA Cert's Issuer Public Key Hash
SubCA Cert Issuer Serial Number
Date of last cert issuance
Date of last cert expiration


Does that sound reasonable?

Kathleen




I added another tab as described above to the CA Responses spreadsheet.

I also added:

https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Frequently_Asked_Questions
--
5. The transition of some subordinate CAs to Technical Constraints (as per #9 of Mozilla's CA Certificate Inclusion Policy) has been accomplished by creating a new CA hierarchy, so the old subordinate CA certificate remains in 'CRL/OCSP only' mode until all certificates in the old hierarchy have expired. Do we need to disclose the old subordinate CA certificates that are being phased out and are in 'CRL/OCSP only' mode? - For each subordinate CA certificate that is being phased out and is in 'CRL/OCSP only' mode, please provide the following information: Name of SubCA (optional), SubCA Cert Hash (SHA1), SubCA Cert Key Id Hash (SHA1), SubCA Cert Subject Key Identifier, SubCA Cert Serial Number, Date of Last Cert Issuance, Date of Last Cert Expiration. 
--
I'm still working through my inbox of CA's Responses to the Communication. It'll take a while. 

Kathleen





_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to