<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Hi Corey,<br>
<br>
If the CA already knows that the Subscriber Private Key was
compromised and malicious code was signed at a certain date in the
past, we should allow the CRL to contain that agreed revocation date
without requiring a first CRL and then a "subsequent" CRL entry.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 20/9/2021 7:52 μ.μ., Corey Bonnell
via Cscwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100017c041f6fde-3fff9dff-95ed-4c67-9b37-df5baa94f3ac-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal">As discussed last week, it would be
valuable to ensure that there is clarity regarding how
revocation/invalidity dates are encoded in CRLs so that
relying party software can make the correct trust decisions
regarding compromised code. Attached is a small change to
13.2.1 to reflect that the revocationDate CRL entry field
shall be used to denote when a certificate is invalid. The
proposed language allows for the Invalidity Date CRL entry
extension to continue to appear, but the time encoded in it
must be the same as the revocationDate for the entry. I don’t
believe this causes issues with Windows CRL processing, please
let me know if it does and I’ll remove the provision.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">For reference, here are the two proposed
paragraphs to be added to 13.2.1:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Courier New"">If
a Code Signing Certificate is revoked, and the CA later
becomes aware of a more appropriate revocation date, then
the CA MAY use that revocation date in subsequent CRL
entries and OCSP responses for that Code Signing
Certificate.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Courier New"">Effective
2022-02-01, if the CA includes the Invalidity Date CRL entry
extension in a CRL entry for a Code Signing Certificate,
then the time encoded in the Invalidity Date CRL extension
SHALL be equal to the time encoded in the revocationDate
field of the CRL entry.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Given that the revocation date is
potentially security sensitive, I think it’s worthwhile to get
this clarified prior to the RFC 3647/Pandoc effort. In
addition to comments/questions on the proposed language, we’re
looking for two endorsers.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Corey<o:p></o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>