Glad to see you paying close attention to the Baseline Requirements changes!
On Thu, Aug 27, 2020 at 1:34 PM Sándor dr. Szőke via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Yes, that date comes from the Mozilla Root Program, but this requirement
> is new for the other Root Programs and for the BR.
>
No, it's not. It's been a part of Microsoft's root program for even longer
than Mozilla's, at
https://docs.microsoft.com/en-us/security/trusted-root/program-requirements
You can see this all discussed in the CA/B Forum as part of the ballot, if
you need any assistance understanding where a change came from.
> The other thing is that without having an indicated effect date, the
> requirement can be interpreted in that way, that every valid Subordinate CA
> certificate shall comply this requirement, even if it has been issued years
> ago.
>
No, this is not correct. If you look closely at the changes that have been
made to the BRs in the past, particularly around cleanup ballots, it's to
remove effective dates that are in the past.
The BRs describe what to do at time of issuance. They have always done just
that.
> I would just like to get confirmation that this requirement does not
> mean that all subordinate CA certificates that are currently non-compliant
> shall be revoked, which were issued prior to the effective date.
>
You'll need to work with your root program. Mozilla's effective date is
just as it is stated, and Mozilla's policy says you are supposed to revoke
if you violate a root program requirement, as per
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
If you've misissued according to another program, which may have an earlier
date, you should work with that root program to figure the expectations for
how to handle root program violations.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
