Hi Kathleen,
Juist some minor comments, nit-picks more than anything..
On this page
https://wiki.mozilla.org/CA/Revocation_Reasons#CRLReason_Codes_for_End-Entity_TLS_Certificates
you say that the subscriber can request renovation for reason privilegeWithdrawn, but only a CA can do that.
We go back and fourth with subscribers providing a reason and what can/must be in the reasonCode extension. They are slightly different in that a cert can be revoked ONLY for 6 reasons (the 5 you list plus unspecified) listed but only 5 of those reasons end up being required in the reasonCode extension. I think it’s important to say you can revoke ONLY for these 6 reasons and that you MUSY provide the reason code for the 5 you’ve listed. I’d list them in order and also re-order the sections (just a suggestion) Consider something like this:
TLS Certificates may be revoked ONLY for one of the following reasons:
The reasonCode extension must be used when any of the following reasons are used:
Consider updating section 6.1 to say that the subscriber can revoke for reason #0 Unspecified, when none of the other reasons “make sense”. If you re-order the section numerically by reason code, then this would come first.
Doug
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7fbc2fba-aa0a-4c2d-ae1e-2c6737801c2en%40mozilla.org.
Hi Kathleen,
The section entitled “OCSP” [1] says:
“Mozilla does not expect there to be CRLReasons in OCSP responses for TLS end-entity certificates.
Section 7.3.2 of the BRs says: The singleExtensions of an OCSP response MUST NOT contain the reasonCode (OID 2.5.29.21) CRL entry extension.”
Is the statement “Mozilla does not expect there to be CRLReasons in OCSP responses for TLS end-entity certificates” stating that Mozilla would prefer that CRLReason not be included in OCSP responses (in the RevokedInfo.revocationReason), or is it re-iterating the BR requirement that the reovcationReason field MUST be used instead of the reasonCode CRL entry extension to convey the reasonCode?
I think it’s the latter, but I’d like to confirm.
Additionally, I’m not sure of the intent behind the following text in the OCSP section:
“The BRs say the following in relation to certificateHold:
This seems duplicative of the prohibition on certificateHold in “Banned Revocation Reasons”, so I’m unsure why it is reiterated in the OCSP section.
Thanks,
Corey
From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> On Behalf Of Kathleen Wilson
Sent: Tuesday, April 12, 2022 8:14 PM
To: dev-secur...@mozilla.org
Subject: DRAFT wiki.mozilla.org/CA/Revocation_Reasons
All,
--
Hi Kathleen,
Thanks for making these changes; they look good and add clarity.
Thanks,
Corey