DRAFT wiki.mozilla.org/CA/Revocation_Reasons

[Kathleen Wilson]

All,

I have started writing https://wiki.mozilla.org/CA/Revocation_Reasons and will greatly appreciate your feedback on it.

Please let me know if there are other topics that should be covered in this new wiki page regarding the new section 6.1.1 that will be added to version 2.8 of Mozilla's Root Store Policy.

Also, in the draft wiki page there is:

"Currently there is not a standard way to demonstrate possession of the private key. Here are a few ways that CAs may confirm possession of the private key:"

I will greatly appreciate it if you all will reply with your opinions about the best ways to prove possession of the private key for a TLS end-entity certificate.

Thanks,

Kathleen

[Doug Beattie]

Hi Kathleen,

 

Juist some minor comments, nit-picks more than anything..

 

 

On this page

https://wiki.mozilla.org/CA/Revocation_Reasons#CRLReason_Codes_for_End-Entity_TLS_Certificates

you say that the subscriber can request renovation for reason privilegeWithdrawn, but only a CA can do that.

 

We go back and fourth with subscribers providing a reason and what can/must be in the reasonCode extension.  They are slightly different in that a cert can be revoked ONLY for 6 reasons (the 5 you list plus unspecified) listed but only 5 of those reasons end up being required in the reasonCode extension.  I think it’s important to say you can revoke ONLY for these 6 reasons and that you MUSY provide the reason code for the 5 you’ve listed.  I’d list them in order and also re-order the sections (just a suggestion)  Consider something like this:

 

TLS Certificates may be revoked ONLY for one of the following reasons:

• unspecified (RFC 5280 CRLReason #0)
• keyCompromise (RFC 5280 CRLReason #1)
• affiliationChanged (RFC 5280 CRLReason #3)
• superseded (RFC 5280 CRLReason #4)
• cessationOfOperation (RFC 5280 CRLReason #5)
• privilegeWithdrawn (RFC 5280 CRLReason #9)**

 

The reasonCode extension must be used when any of the following reasons are used:

• keyCompromise (RFC 5280 CRLReason #1)
• affiliationChanged (RFC 5280 CRLReason #3)
• superseded (RFC 5280 CRLReason #4)
• cessationOfOperation (RFC 5280 CRLReason #5)
• privilegeWithdrawn (RFC 5280 CRLReason #9)**

 

 

Consider updating section 6.1 to say that the subscriber can revoke for reason #0 Unspecified, when none of the other reasons “make sense”.  If you re-order the section numerically by reason code, then this would come first.

• If none of the other reason codes are selected but the certificate needs to be revoked, then TLS certificates may be revoked with the unspecified reason

 

Doug

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7fbc2fba-aa0a-4c2d-ae1e-2c6737801c2en%40mozilla.org.

[Kathleen Wilson]

Hi Doug,

Thank you for your feedback, which I have incorporated into the wiki page.

Thanks,

Kathleen

[Kathleen Wilson]

I added a few ways that CAs may confirm possession of the certificate's private key to

https://wiki.mozilla.org/CA/Revocation_Reasons#Possession_of_Private_Key

I will appreciate feedback on the list.

Also, please let me know if there are other correctly-implemented scripts/tools for doing PoP that should be added to the list.

Thanks,

Kathleen

[Corey Bonnell]

Hi Kathleen,

The section entitled “OCSP” [1] says:

 

“Mozilla does not expect there to be CRLReasons in OCSP responses for TLS end-entity certificates.

 

Section 7.3.2 of the BRs says: The singleExtensions of an OCSP response MUST NOT contain the reasonCode (OID 2.5.29.21) CRL entry extension.”

 

Is the statement “Mozilla does not expect there to be CRLReasons in OCSP responses for TLS end-entity certificates” stating that Mozilla would prefer that CRLReason not be included in OCSP responses (in the RevokedInfo.revocationReason), or is it re-iterating the BR requirement that the reovcationReason field MUST be used instead of the reasonCode CRL entry extension to convey the reasonCode?

 

I think it’s the latter, but I’d like to confirm.

 

Additionally, I’m not sure of the intent behind the following text in the OCSP section:

“The BRs say the following in relation to certificateHold:

• Section 7.2.2: the CRLReason MUST NOT be certificateHold
• Section 7.3 (OCSP Profile): the CRLReason indicated MUST contain a value permitted for CRLs, as specified in Section 7.2.2.”

This seems duplicative of the prohibition on certificateHold in “Banned Revocation Reasons”, so I’m unsure why it is reiterated in the OCSP section.

Thanks,

Corey

 

[1] https://wiki.mozilla.org/CA/Revocation_Reasons#OCSP

 

From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> On Behalf Of Kathleen Wilson
Sent: Tuesday, April 12, 2022 8:14 PM
To: dev-secur...@mozilla.org
Subject: DRAFT wiki.mozilla.org/CA/Revocation_Reasons

 

All,

--

[Kathleen Wilson]

Hi Corey,

I re-wrote https://wiki.mozilla.org/CA/Revocation_Reasons#OCSP so that it specifically answers questions that have been raised about OCSP responses and the new MRSP section 6.1.1, "End-Entity TLS Certificate CRLRevocation Reasons".

Is that better?

Thanks,

Kathleen

[Corey Bonnell]

Hi Kathleen,

Thanks for making these changes; they look good and add clarity.

 

Thanks,

Corey