Require CAs to reject keys in certs which are revoked for keyCompromise #95
Comments
|
Currently, CAs are only required under BR 4.9.1.1 to revoke an issued certificate with a compromised key. The MRSP or BRs could be amended to require pre-screening. |
|
SC35 already handled this case for server authentication certificates: https://github.com/cabforum/servercert/pull/224/files#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR1473. Given this, this issue may be redundant, depending on whether or we want this handled for emailProtection certificates at the Mozilla Policy-level as opposed to handling in the upcoming SMIME BRs. |
|
s/blacklist/reject/ |
BenWilson-Mozilla
changed the title
|
Resolution of this issue could be postponed until the CA/Browser Forum's S/MIME WG adopts this as a requirement. I cannot see a section in the MRSP where this requirement could be cleanly placed, except maybe in section 2.2 or section 5.2. |
|
I'm removing the version 2.8 label on this because it will be adequately covered by item 4 in section 6.1.1.3 of the CABF SMIME WG's Baseline requirements. See https://github.com/cabforum/smime/blob/preSBR/SBR.md |
If a CA is asked to revoke a certificate due to key compromise, the CA should refuse a CSR containing the same key.
This came up in the discussion of Hanno Bock's discoveries of private keys sitting on webservers.
This could be a thing to add to the BRs via the CAB Forum or it could be something we could add; I'm filing this here to keep track of the issue.
The text was updated successfully, but these errors were encountered: