[Servercert-wg] Ballot SC31 Browser Alignment - CRL and OCSP profiles
Ryan Sleevi
sleevi at google.com
Mon Jun 29 07:20:53 MST 2020
On Mon, Jun 29, 2020 at 9:25 AM Corey Bonnell <CBonnell at securetrust.com>
wrote:
> > For example, if a CP/CPS said "The Subscriber may request, in writing or
> via programmatic means, for the CA to revoke the certificate. In such
> cases, the revocationReason SHALL be cessationOfOperation, unless the
> Subscriber provides a more specific revocation reason.", that would meet
> the above, right?
>
>
>
> Actually, I’d think that such an attempt by a CA to comply with the
> requirement by default specifying “cessationOfOperation” unless informed
> otherwise by the Subscriber would be several steps back in terms of the
> stated goals:
>
> 1. cessationOfOperation would become the new “unspecified”, except
> that cessationOfOperation is actively misleading as it excludes the
> possibility that revocation was due to keyCompromise. I’d think that having
> a default of “no reason”/unspecified is less misleading/confusing, as it
> does not exclude the possibility that the reason for revocation was
> keyCompromise.
>
> I'm not really sure I understand this objection. Can you elaborate? I fail
to see how it precludes the case of keyCompromise, for example?
>
> 1.
> 2. The reasonCode of “cessationOfOperation” will be encoded in
> CRL/OCSP responses by default, thus no reduction of the number of bytes on
> the wire will be realized in the common case.
>
> If that's a meaningful status - i.e. it provides a way for relying
parties to distingush - that doesn't seem a step back. Even omitting for
clearly specified reasons seems more useful than the status quo.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200629/3bdfe69a/attachment-0001.html>
More information about the Servercert-wg
mailing list