[Cscwg-public] CRL Revocation Date Clarification Pre-Ballot
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Tue Sep 21 06:01:05 UTC 2021
If the CA already knows that the Subscriber Private Key was compromised
and malicious code was signed at a certain date in the past, we should
allow the CRL to contain that agreed revocation date without requiring a
first CRL and then a "subsequent" CRL entry.
On 20/9/2021 7:52 μ.μ., Corey Bonnell via Cscwg-public wrote:
> As discussed last week, it would be valuable to ensure that there is
> clarity regarding how revocation/invalidity dates are encoded in CRLs
> so that relying party software can make the correct trust decisions
> regarding compromised code. Attached is a small change to 13.2.1 to
> reflect that the revocationDate CRL entry field shall be used to
> denote when a certificate is invalid. The proposed language allows for
> the Invalidity Date CRL entry extension to continue to appear, but the
> time encoded in it must be the same as the revocationDate for the
> entry. I don’t believe this causes issues with Windows CRL processing,
> please let me know if it does and I’ll remove the provision.
> For reference, here are the two proposed paragraphs to be added to 13.2.1:
> If a Code Signing Certificate is revoked, and the CA later becomes
> aware of a more appropriate revocation date, then the CA MAY use that
> revocation date in subsequent CRL entries and OCSP responses for that
> Code Signing Certificate.
> Effective 2022-02-01, if the CA includes the Invalidity Date CRL entry
> extension in a CRL entry for a Code Signing Certificate, then the time
> encoded in the Invalidity Date CRL extension SHALL be equal to the
> time encoded in the revocationDate field of the CRL entry.
> Given that the revocation date is potentially security sensitive, I
> think it’s worthwhile to get this clarified prior to the RFC
> 3647/Pandoc effort. In addition to comments/questions on the proposed
> language, we’re looking for two endorsers.
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Cscwg-public