BenWilson-Mozilla
commented
3 years ago Currently, CAs are only required under BR 4.9.1.1 to revoke an issued certificate with a compromised key. The MRSP or BRs could be amended to require pre-screening.
Open gerv opened 7 years ago
BenWilson-Mozilla
commented
3 years ago Currently, CAs are only required under BR 4.9.1.1 to revoke an issued certificate with a compromised key. The MRSP or BRs could be amended to require pre-screening.
CBonnell
commented
3 years ago SC35 already handled this case for server authentication certificates: https://github.com/cabforum/servercert/pull/224/files#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR1473.
Given this, this issue may be redundant, depending on whether or we want this handled for emailProtection certificates at the Mozilla Policy-level as opposed to handling in the upcoming SMIME BRs.
timfromdigicert
commented
3 years ago s/blacklist/reject/
BenWilson-Mozilla
commented
2 years ago Resolution of this issue could be postponed until the CA/Browser Forum's S/MIME WG adopts this as a requirement. I cannot see a section in the MRSP where this requirement could be cleanly placed, except maybe in section 2.2 or section 5.2.
BenWilson-Mozilla
commented
2 years ago I'm removing the version 2.8 label on this because it will be adequately covered by item 4 in section 6.1.1.3 of the CABF SMIME WG's Baseline requirements. See https://github.com/cabforum/smime/blob/preSBR/SBR.md
If a CA is asked to revoke a certificate due to key compromise, the CA should refuse a CSR containing the same key.
This came up in the discussion of Hanno Bock's discoveries of private keys sitting on webservers.
This could be a thing to add to the BRs via the CAB Forum or it could be something we could add; I'm filing this here to keep track of the issue.