Re: Mandatory reasonCode analysis

On Thu, Oct 1, 2020 at 6:39 AM Corey Bonnell via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Although RFC 5280, section 5 [2] mandates that conforming CAs MUST produce > v2 CRLs, the CAs issuing v1 CRLs pre-date any browser root requirements > that mandate adherence to

Re: Mandatory reasonCode analysis

I did some searching in this area after Microsoft announced the new root program requirement back in February [1] and it appears that v1 CRLs are still being actively published in the webPKI. Notably, v1 CRLs do not support extensions in revoked entries, so there is no way to encode the

Re: Mandatory reasonCode analysis

Hello, as we are in the "list of shame" and as a way to ensure we are following these discussions, I'd like to say that the OISTE CA that is referenced here (it's an old intermediate CA expiring in December 2020, and its CRL contains some unspecified revocations for Issuing CAs from 2015 and

Re: Mandatory reasonCode analysis

On Wed, Sep 30, 2020 at 12:56 PM Rob Stradling via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I also read this language: > > If a CRL entry is for a Certificate not subject to these Requirements > and was either issued on-or-after 2020-09-30 or has a notBefore

Re: Mandatory reasonCode analysis

Hi Doug. I didn't filter by any CRL fields, as per option (2) in my original post. From: Doug Beattie Sent: Wednesday, September 30, 2020 17:53 To: Rob Stradling Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Mandatory reasonCode analysis Hi Rob

RE: Mandatory reasonCode analysis

.@lists.mozilla.org>> on behalf of Jeremy Rowley via dev-security-policy mailto:dev-security-policy@lists.mozilla.org>> Sent: 30 September 2020 17:41 To: Mozilla mailto:mozilla-dev-security-pol...@lists.mozilla.org>> Subject: RE: Mandatory reasonCode analysis CAUTION: This ema

Re: Mandatory reasonCode analysis

September 2020 17:41 To: Mozilla Subject: RE: Mandatory reasonCode analysis CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. This is a good question. I read the requirements as

RE: Mandatory reasonCode analysis

Hi Rob, I'm not sure you filtered this report by "thisUpdate", maybe you did it by nextUpdate by mistake? The GlobalSign CRL on this report was created in 2016, thus the question. Doug -Original Message- From: dev-security-policy On Behalf Of Rob Stradling via dev-security-policy

RE: Mandatory reasonCode analysis

This is a good question. I read the requirements as applying only to CRLs and OCSP published after the effective date since the BRs always say explicitly when they apply to items before the effective date. I also read this language: If a CRL entry is for a Certificate not subject to these