[Cscwg-public] CRL Revocation Date Clarification Pre-Ballot

Corey Bonnell Corey.Bonnell at digicert.com
Mon Sep 20 16:52:08 UTC 2021 

Hello,

As discussed last week, it would be valuable to ensure that there is clarity
regarding how revocation/invalidity dates are encoded in CRLs so that
relying party software can make the correct trust decisions regarding
compromised code. Attached is a small change to 13.2.1 to reflect that the
revocationDate CRL entry field shall be used to denote when a certificate is
invalid. The proposed language allows for the Invalidity Date CRL entry
extension to continue to appear, but the time encoded in it must be the same
as the revocationDate for the entry. I don't believe this causes issues with
Windows CRL processing, please let me know if it does and I'll remove the
provision.

 

For reference, here are the two proposed paragraphs to be added to 13.2.1:

 

If a Code Signing Certificate is revoked, and the CA later becomes aware of
a more appropriate revocation date, then the CA MAY use that revocation date
in subsequent CRL entries and OCSP responses for that Code Signing
Certificate.

 

Effective 2022-02-01, if the CA includes the Invalidity Date CRL entry
extension in a CRL entry for a Code Signing Certificate, then the time
encoded in the Invalidity Date CRL extension SHALL be equal to the time
encoded in the revocationDate field of the CRL entry.

 

Given that the revocation date is potentially security sensitive, I think
it's worthwhile to get this clarified prior to the RFC 3647/Pandoc effort.
In addition to comments/questions on the proposed language, we're looking
for two endorsers.

 

Thanks,

Corey

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210920/ac045b80/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RevocationDate Clarification.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 135518 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210920/ac045b80/attachment-0001.docx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4990 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210920/ac045b80/attachment-0001.p7s>

More information about the Cscwg-public mailing list