On Mon, Mar 16, 2026 at 6:43 AM Yuwei HAN (hanyuwei70) <[email protected]> wrote:
> > In BR 4.9, there seems no explicit requirement for sub CA to support > revocation request. Should we be more clear about this? (e.g. require all > chain of trust CAs should process revocation request). > The BRs Section 4.9.3 say "The CA SHALL provide a process for Subscribers to request revocation of their own Certificates. The process MUST be described in the CA's Certificate Policy or Certification Practice Statement. The CA SHALL maintain a continuous 24x7 ability to accept and respond to revocation requests and Certificate Problem Reports." This remains true no matter how many Subordinate CAs sit between the Subscriber Certificate and the Root Certificate; the requirement applies to all Subscriber Certificates. Sectigo's Certificate Problem Reporting mechanisms can be found by locating their CPS (https://www.sectigo.com/cps-repository), seeing that their Section 4.9.3 points at their Section 1.5.2.1, and selecting any of the three methods (revocation portal, ACME endpoint, or email) listed there. Aaron -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErf4Tfn_MeWC5MkC%3D1kAEgeWPNMy-xhxnz%2B3FJ%2BLQkTLPw%40mail.gmail.com.
