[cabfpub] Revocation Information

Ryan Sleevi sleevi at google.com
Thu Sep 25 11:24:17 UTC 2014

On Sep 25, 2014 2:20 AM, "Erwann Abalea" <erwann.abalea at opentrust.com>
> Bonjour Ryan,
> Le 23/09/2014 19:04, Ryan Sleevi a écrit :
>> Isn't there two aspects at play here? The first is the CRL for the
technically constrained subCA. Since that subCA has to be disclosed to Moz
(as part of the Moz program + Audit requirements), revoking that subCA
'should' also be a public act and uncontroversially so.
> Extract from Mozilla inclusion policy:
> All certificates that are capable of being used to issue new
certificates, and which directly or transitively chain to a certificate
included in Mozilla’s CA Certificate Program, MUST be operated in
accordance with Mozilla’s CA Certificate Policy and MUST either
be technically constrained or be publicly disclosed and audited.
> Pretty clear.
> CABForum BR only requires a regular quality assessment for technically
constrained subordinate CAs, performed by the issuing CA. No disclosure of
the CA is required.

You misunderstood.

The issuing CA of the first constrained CA is public, ergo its CRL is
public, and revoking the constrained CA (ICA1) is, transitively, public.
That's because the issuing/root CA must make its revocation information
available in a 24x7 repository.

However, all certificates - including those in scope of Gerv's OneCRL plan
(ICA2, ICA3) - issued from this contained CA are not guaranteed to be
public, nor are their CRLs.

Put differently, it does not seem OneCRL has a mechanism to handle
revocation for the certs issued by ICA2 (it relies on OCSP Stapling to
handle those issued by ICA3).

I think we are in agreement of the facts, but I was highlighting for Gerv
that, combined with his question, there is a gap of coverage for ICA2.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140925/dd101629/attachment-0003.html>

More information about the Public mailing list