[Servercert-wg] Ballot SC31 Browser Alignment - CRL and OCSP profiles

Corey Bonnell CBonnell at securetrust.com
Thu Jun 25 09:12:38 MST 2020

In giving another pass on the SC31 ballot text, I have the following questions/comments:


>From 7.2.2 (https://github.com/cabforum/documents/pull/195/files#diff-7f6d14a20e7f3beb696b45e1bf8196f2R1986):

> The `CRLReason` indicated MUST NOT be unspecified (0), MUST NOT be certificateHold (6), and MUST indicate the most appropriate reason for revocation of the certificate.


1. Does this requirement apply to end-entity certificate CRL entries? The formatting makes it appear that it does, but the Root Program requirement where this is derived from only is for CA certificates.

2. Given that the semantics of the X.509 reasonCodes are not well defined [1], do Root Programs have guidance on what each allowed reasonCode means and when it is most appropriate to use? Absent this, I think the “MUST” requirement should be relaxed to a “SHOULD” (or eliminated entirely) until there are commonly agreed-upon semantics for the allowed set of reasonCodes.


>From 7.3 (https://github.com/cabforum/documents/pull/195/files#diff-7f6d14a20e7f3beb696b45e1bf8196f2R1998):

> The `CRLReason` used SHALL contain a value permitted for CRLs, as specified in Section 7.2.2.


Similar to question #1 above, does this apply to OCSP responses for end-entity certificates?





[1] https://github.com/mozilla/pkipolicy/issues/208

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200625/bb24930f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4947 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200625/bb24930f/attachment.p7s>

More information about the Servercert-wg mailing list