[Servercert-wg] CRL reason codes and CRL requirements

Doug Beattie doug.beattie at globalsign.com
Thu Apr 25 17:41:23 UTC 2024 

 

We were looking at some of the details in Ballot SC-063 V4: Make OCSP
Optional, Require CRLs, and Incentivize Automation

https://github.com/cabforum/servercert/blob/a0efd83d3818fe5c3df23bf4b32483cc
4e6f133c/docs/BR.md#721-version-numbers

 

We have 2 comments in the area of CRLs and Reason codes:

 

#1: For certificateHold it says:



MUST NOT be included if the CRL entry is for 1) a Certificate subject to
these Requirements, or 2) a Certificate not subject to these Requirements
and was either A) issued on-or-after 2020-09-30 or B) has a notBefore
on-or-after 2020-09-30.

 

We'd like to suggest a change because:

 

1.	Regarding  "2) a Certificate not subject to these Requirements",  If
"these Requirements" means the BRs, how is it that the BRs can place
requirements on non TLS certificates?  Maybe this was an old requirement
related to ICAs that issued both TLS and non-TLS certificates, which isn't a
concern anymore
2.	This also has a back dated requirement given that it places
requirements that were issued prior to this ballot being adopted (for certs
not subject to these Requirements.)

 

We recommend removing #2. It's not urgent so maybe we do this in the next
clean-up.  I opened this issue to track this:

   https://github.com/cabforum/servercert/issues/506

 

 

 

=====================================

#2: This ballot was to make CRLs required, but there isn't a requirement to
included CDP into the TLS certificates.  Is this intentional, or should  we
go through the BR and update to make it clear that for certificates that are
not short lived certificates  CDP is required and AIA is optional?  Perhaps
there was a discussion prior that documented this.

 

For example,
https://github.com/cabforum/servercert/blob/a0efd83d3818fe5c3df23bf4b32483cc
4e6f133c/docs/BR.md#712112-crl-distribution-points says:


The CRL Distribution Points extension MUST be present in:

*         Subordinate CA Certificates; and

*         Subscriber Certificates that 1) do not qualify as "Short-lived
Subscriber Certificates" and 2) do not include an Authority Information
Access extension with an id-ad-ocsp accessMethod.

Which implies you can omit CDP if you have id-ad-ocsp accessMethod.


You could interpret these sections as including the CDP is optional.  

 
https://github.com/cabforum/servercert/blob/a0efd83d3818fe5c3df23bf4b32483cc
4e6f133c/docs/BR.md#712112-crl-distribution-points

 

https://github.com/cabforum/servercert/blob/a0efd83d3818fe5c3df23bf4b32483cc
4e6f133c/docs/BR.md#71276-subscriber-certificate-extensions

 

If the intent of the ballot is to ensure that every TLS CA has a CRL, but
CDP is not required, then we should make that more clear in various places.
Issue created:

   https://github.com/cabforum/servercert/issues/505

 

Regards,

 

Doug

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240425/be7df0c8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8445 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240425/be7df0c8/attachment-0001.p7s>

More information about the Servercert-wg mailing list