Before answering your questions, I think it's important to remember that
this only applies to SSL certificates. There are valid reasons to suspend a
client certificate.
BR 13.2.7, Certificate Suspension, says: "The Repository MUST NOT include
entries that indicate that a Certificate is suspended."
1) Does that mean that CAs cannot put CRL reason code certificateHold (as
per RFC5280) in their CRLs?
- They can. However, because of the way clients handle CRLS (including the
caching of CRLs) and the fact that disappearing CRL entries is a sign of
probable malicious behavior, CAs cannot remove the CRL entry once
established. This is the reason suspension doesn't work. In fact, this is
already a requirement under the version of the BRs previously adopted by
Mozilla (Section 13.2.4).
2) What problem does this Baseline Requirement solve?
- The problem is that most clients don't process delta CRLs. Once something
appears on a CRL, it can't effectively be removed. Also, the watching CRLs
helps detect compromised CAs since changing CRLs are an indication of
something going wrong with the CA. Besides, with the short issuance times
of today's certificates, a CA can reissue a certificate more effectively
than suspending and un-suspending an existing certificate.
3) Does it really matter if the browsers don't do anything with the
certificateHold reason code?
- No, but the reason code is not a problem for the CA. Many CAs don't
include any reason code in the CRL for their listings. The big problem that
was discussed in the Forum is the way CRLs are processed and cached.
4) What is the expectation of when/how CAs must become compliant with this
new BR?
- All CAs should already be compliant since Section 13.2.4 accomplishes
effectively the same thing. Section 13.2.4 because part of the SSL WebTrust
audit in January. The section should be part of ETSI soon, if not already.
5) What if a CA does not see the value of becoming compliant with this BR
because their use of this reason code is compliant with RFC5280? (For this
question, assume that the CA is compliant with all of the other BRs
-- will that impact internet users in any way?)
- The impact will be that you'll have many confused users. Some browsers
will list the certificate as revoked when the suspension ends. Others
won't. There is also the risk that some browsers treat certificateHold as
non-revoked. Since the CA doesn't have to change the certificate status
later, the certificate may never be revoked if the actual reason becomes key
compromise.
6) I completely missed the CAB Forum's discussion of the addition of this
BR. When I searched for it, I found that it was bunched together with a few
other changes. When should changes to the BRs be grouped together? If the
addition of a new BR is not important enough to stand on its own, then
should it really be added?
- There were several discussions on this topic. I can send them to you
separately, although I've highlighted the discussion above. The primary
issues that led to a prohibition on revocation were the lack of support for
suspension, the fact that re-issuance is a better process that avoids
browser issues, the fact that a CA with changing entries is a warning about
problems with the CA, and the burden on researchers trying to track this
type of information. The topics in revocation were grouped together in a
single ballot for convenience. We discussed them separately in meetings and
on the list but consolidated for the ballot.
As per Gerv's earlier request, here is text from one CA's CPS (translated
into English):
"Suspension is the process of making a certificate to make it invalid
temporarily.
Revocation is the process of making a certificate to be invalid
permanently."
....
"Suspension can be described as placing a certificate on hold for a brief
period. This is useful for investigation to be carried out as to the
validity of the certificate when required. A Certificate is suspended when:
- Verification as to whether the certificate has been issued containing
wrong or falsified information is in progress
- Soft copy of Revocation request signed by SA/RA is awaited
- Subscriber requests for suspension"
- Doesn't really work that way. When you place a cert on a CRL, it becomes,
more or less, permanently invalid. The biggest problem with suspension is
it uses the same mechanism as revocation, making distinguishing between the
two difficult.