Section 6 ("Revocation") of Mozilla's Root Store Policy states:
CAs MUST revoke Certificates that they have issued upon the occurrence of
> any event listed in the appropriate subsection of section 4.9.1 of the
> Baseline Requirements, according to the timeline defined therein.
>
Because the BRs don't apply to intermediate and end-entity certificates
that are constrained to S/MIME, it's not clear if our policy requires that
those certificates follow the BR revocation requirements or not.
The discussion [1] that led to the current language makes it clear that the
intent is for the revocation requirement to apply to S/MIME certificates.
I propose adding the following statement to clarify the scope of this
section:
This requirement applies to certificates that are not otherwise required to
> comply with the BRs.
This is https://github.com/mozilla/pkipolicy/issues/166 and
https://github.com/mozilla/pkipolicy/issues/167
I will appreciate everyone's input on this proposal.
- Wayne
[1]
https://groups.google.com/d/msg/mozilla.dev.security.policy/eAy0lxgFHR8/g6Jddy40EAAJ
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
