+1. Of course there must be consistency between CRLs and OCSP.
Dimitris.
-Original Message-
From: Eric Mill via dev-security-policy
To: "Buschart, Rufus"
Cc: mozilla-dev-security-policy
, Kurt Roeckx ,
Wayne Thayer
Sent: Sat, 02 Feb 2019 16:17
Subject: Re: Odp.: Odp.: Odp.: 46
The BRs and Mozilla program policies don't support the idea of just
trusting a CA to issue certs for "internal" use or to keep them secret.
This is why CAs issuing "test certificates" on production CAs for domains
they don't own is clearly forbidden.
Given that, I don't see how it can be
Personally I think it would be better, if the revoke reason "Certificate hold"
on the CRL would be allowed for TLS certificates, as this state would exactly
cover the described scenario. The OCSP responder could in such a case reply
with "bad" and deliver the reason "certificate hold". But I
3 matches
Mail list logo
