[cabfpub] BR clarification re: test certificates

Curt Spann cspann at apple.com
Thu Apr 13 18:19:17 UTC 2017


Hi Gerv,

Comment inline below:
> On Apr 10, 2017, at 8:13 AM, Gervase Markham via Public <public at cabforum.org> wrote:
> 
> Section 2.2 of the BRs says:
> 
> "The CA SHALL host test Web pages that allow Application Software
> Suppliers to test their software with Subscriber Certificates that chain
> up to each publicly trusted Root Certificate. At a minimum, the CA SHALL
> host separate Web pages using Subscriber Certificates that are
> (i) valid,
> (ii) revoked, and
> (iii) expired."
> 
> Mozilla requires these 3 URLs as part of the annual updates to the
> CCADB. We want to make it clear (and have done so on
> https://wiki.mozilla.org/CA:CommonCADatabase#How_To_Provide_Annual_Updates
> ) that we consider this requirement to be more fully specified as:
> 
> * valid   = unexpired and unrevoked
> * revoked = unexpired, and present in either/both of CRL and OCSP
CES: Did you really intended for the ‘either/both’ instead of just ‘both'? I don’t think it would be a good idea to only have a certificate’s revoked status in one form the of the revocation data and not the other.
> * expired = notAfter less than the current day, and unrevoked
> 
> In particular, please make sure your revoked certificate is _un_expired.
> 
> If people think the BRs need updating to clarify this, we could
> draft
> a
> ballot.
> 
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://angler.apple.com:443/proxy?url=gxCaAAV5X6eKqFUJxGfIVBNUhqhb82I06KhtC3s6mVaT7CnJeoQYl2Hw0Iz5OpBhU7whHXfQM6QxzlyxfKJd72IhNmeFA102UeUZvEL9%2BSA%3D&rewritten=true&o=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fpublic

Cheers,
Curt


More information about the Public mailing list