On Thu, Oct 1, 2020 at 6:39 AM Corey Bonnell via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> Although RFC 5280, section 5 [2] mandates that conforming CAs MUST produce
> v2 CRLs, the CAs issuing v1 CRLs pre-date any browser root requirements
> that mandate adherence to
I did some searching in this area after Microsoft announced the new root
program requirement back in February [1] and it appears that v1 CRLs are still
being actively published in the webPKI. Notably, v1 CRLs do not support
extensions in revoked entries, so there is no way to encode the
Hello,
as we are in the "list of shame" and as a way to ensure we are following these
discussions, I'd like to say that the OISTE CA that is referenced here (it's an
old intermediate CA expiring in December 2020, and its CRL contains some
unspecified revocations for Issuing CAs from 2015 and
On Wed, Sep 30, 2020 at 12:56 PM Rob Stradling via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> > I also read this language:
> > If a CRL entry is for a Certificate not subject to these Requirements
> and was either issued on-or-after 2020-09-30 or has a notBefore
Hi Doug. I didn't filter by any CRL fields, as per option (2) in my original
post.
From: Doug Beattie
Sent: Wednesday, September 30, 2020 17:53
To: Rob Stradling
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: Mandatory reasonCode analysis
Hi Rob
.@lists.mozilla.org>>
on behalf of Jeremy Rowley via dev-security-policy
mailto:dev-security-policy@lists.mozilla.org>>
Sent: 30 September 2020 17:41
To: Mozilla
mailto:mozilla-dev-security-pol...@lists.mozilla.org>>
Subject: RE: Mandatory reasonCode analysis
CAUTION: This ema
September 2020 17:41
To: Mozilla
Subject: RE: Mandatory reasonCode analysis
CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender and know the content
is safe.
This is a good question. I read the requirements as
Hi Rob,
I'm not sure you filtered this report by "thisUpdate", maybe you did it by
nextUpdate by mistake?
The GlobalSign CRL on this report was created in 2016, thus the question.
Doug
-Original Message-
From: dev-security-policy On
Behalf Of Rob Stradling via dev-security-policy
This is a good question. I read the requirements as applying only to CRLs and
OCSP published after the effective date since the BRs always say explicitly
when they apply to items before the effective date.
I also read this language:
If a CRL entry is for a Certificate not subject to these
9 matches
Mail list logo