[cabfpub] BR clarification re: test certificates
Gervase Markham
gerv at mozilla.org
Mon Apr 10 15:13:13 UTC 2017
Section 2.2 of the BRs says:
"The CA SHALL host test Web pages that allow Application Software
Suppliers to test their software with Subscriber Certificates that chain
up to each publicly trusted Root Certificate. At a minimum, the CA SHALL
host separate Web pages using Subscriber Certificates that are
(i) valid,
(ii) revoked, and
(iii) expired."
Mozilla requires these 3 URLs as part of the annual updates to the
CCADB. We want to make it clear (and have done so on
https://wiki.mozilla.org/CA:CommonCADatabase#How_To_Provide_Annual_Updates
) that we consider this requirement to be more fully specified as:
* valid = unexpired and unrevoked
* revoked = unexpired, and present in either/both of CRL and OCSP
* expired = notAfter less than the current day, and unrevoked
In particular, please make sure your revoked certificate is _un_expired.
If people think the BRs need updating to clarify this, we could draft a
ballot.
Gerv
More information about the Public
mailing list