136
edits
Changes
→Revocation: tweaks based on serial number entropy issue
This means that, in most cases of misissuance, the CA has an obligation under the BRs to revoke the certificates concerned within 5 days.
Mozilla recognizes that in some exceptional circumstances, revoking misissued certificates within the prescribed deadline may cause significant harm, such as when the certificate is used in critical infrastructure and cannot be safely replaced prior to the revocation deadline, or when a defect affects a massive number of Subscribers and certificates. However, Mozilla does not grant exceptions to the BR revocation requirements. It is our position that your CA is ultimately responsible for deciding if the harm caused by following the requirements of BR section 4.9.1.1 outweighs the risks created that are passed on to individuals who rely on the web PKI by choosing not to meet this requirement.
If your CA will not be revoking the certificates within the time period required by the BRs, our expectations are that:
* The decision and rationale for delaying revocation will be disclosed to Mozilla in the form of a preliminary incident report immediately; preferably before the BR mandated revocation deadline. The rationale must include an explanation for why the situation is exceptional. Responses similar to “we deem this misissuance not to be a security risk” are generally not acceptable, and must be discussed on the mozilla. This dev.security.policy list. When revocation is delayed at the request of specific Subscribers, the rationale should be provided on a per-Subscriber basis.* Any decision to not comply with the timeline specified in the Baseline Requirements must also be accompanied by a clear timeline for describing if and when the problematic certificates will be revoked and supported by the rationale to delay revocation.
* The issue will need to be listed as a finding in your CA’s next BR audit statement.
* Your CA will work with your auditor (and supervisory body, as appropriate) and the Root Store(s) that your CA participates in to ensure your analysis of the risk and plan of remediation is acceptable.